dForce, a decentralized finance (DeFi) aggregator integrated with several blockchain networks, has just been hacked for $3.65 million. This makes it the second time the platform has suffered a security breach.
dForce is a DeFi platform that offers trading and lending services to investors. It supports seven different blockchains. They are Ethereum, Arbitrum, BNB Chain, Optimism, Polygon, KAVA, and Avalanche.
How Did It Happen?
On-chain data shows that the wstETHCRV gauge vault on Arbitrum and Optimism were victims of the latest exploit. The hacker borrowed 69,665 WETH through a flash loan and converted the holdings into ETH. The funds were then added to the wstETH/ETH pool on Curve.
From there, the attacker performed several exploitative actions. One of them was that the hacker manipulated the price oracle that feeds live prices to the wstETH/ETH vault from the wstETH/ETH pool. Another action carried out was the liquidation of other users for profit.
At the end of the attack, the attacker converted the wstETH tokens received into ETH and paid back the flash loan. The hacker then pocketed a profit of $3.65 million, at the expense of dForce. According to blockchain security firm PeckShield, the stolen funds were split among three different cryptocurrencies – ETH, USX, and USDC.
At the time of writing, the stolen funds remain in the hacker’s wallet.
dForce Comments
About two hours after the exploit began, dForce commented on the attack via a Twitter post. The team noted that it had halted activity on the affected vaults. It added that other network services are fully functional. A detailed analysis of the exploit is yet to come from the team.
wstETH/ETH Curve gauge vaults on Arbitrum & Optimism were exploited a few hours ago, and we immediately paused the dForce Vaults – other parts of the protocol remain intact and user funds are SAFE with dForce Lending.
We will come back with a detailed report and remedies soon.
— dForce (@dForcenet) February 10, 2023
Amid the exploit, the native token for the project, DF, saw a mild 10% decline. The token now trades at $0.044, indicating that it is gradually recovering from the attack. dForce’s overcollateralized stablecoin, USX, appears unaffected amid the attack. It currently trades at $0.99.
Notably, this is not the first time the dForce protocol will be attacked by bad actors. In April 2020, the protocol was exploited for $25 million. However, the hacker later returned nearly all the stolen funds. Could it be that the same might occur with the latest exploit? Only time will tell.
