In February 2023, the dForce DeFi protocol was the victim of a reentrancy attack. The attacker exploited the smart contract vulnerability to steal an estimated $3.6 million in assets from the protocol.
Inside the Attack
The attack against dForce targeted the protocol’s Curve Finance vault on the Arbitrum and Optimism blockchains. The reentrancy vulnerability existed in code that was used to access price oracles when using Curve on Arbitrum or Optimism.
This read-only reentrancy vulnerability is well-known, and similar attacks have occurred against Cuve pools used by Midas Capital and Market.xyz in the past. To exploit the vulnerability, the attacker deposited flashloaned funds and then removed their deposit. During this removal, the attacker has the ability to exploit a reentrancy vulnerability and manipulate the perceived virtual price of the asset.
By driving down the virtual price, the attacker was able to liquidate other users’ positions in the wstETH/ETH pool. As a result, the attacker was able to steal approximately $3.6 million from the protocol.
In this case, the DeFi hack had a happy ending. The dForce team sent a request for the funds to be returned, and all stolen funds were returned by the attacker to the project’s multi-sig wallets.
Lessons Learned From the Attack
This dForce hack was one that exploited a known vulnerability for which Curve has published a suggested mitigation. This reentrancy vulnerability — and reentrancy vulnerabilities in general — should have been caught and corrected as part of a smart contract audit. However, the exploited vulnerability was out of the scope of dForce’s audit.
A complete, in-depth security audit is essential to protect against these common smart contract vulnerabilities and DeFi hacks. To learn more about protecting your projects, contact our Web3 security experts.