DeFi-focused altcoin project dForce (DF) lost $3.6 million in a hack that repeatedly pulled funding from the smart contract.
Altcoin hack was the latest vulnerability to occur in Curve Finance
According to reports, a hacker stole more than $3.6 million from dForce in a Curve reentry attack he ran on Arbitrum and Optimism. The DeFi project confirmed the incident in a Twitter post and reported that it is pausing their contracts to prevent further damage.
DeFi altcoin drops over 5%
The dForce (DF) price has only seen a 5% drop, possibly as the stolen funds have just been sold. At the time of writing, it is trading at $0.04381 amid ongoing selling.
Hacker targeted wstETH/ETH Curve vaults
The attack was apparently enabled by a reentry vulnerability that can occur when an attacker repeatedly calls a smart contract function and extracts assets from it before updating the contract internal state. This vulnerability can happen when there is an error in the smart contract code or the lack of appropriate security measures.
“On February 10, our wstETH/ETH Curve vaults on Arbitrum and Optimism were exploited and we paused all vaults immediately. The vulnerability was identified and the hack was specific to dForce’s wstETH/ETH-Curve vault.”
According to two leading crypto security companies BlockSec and PeckShield, the total losses from the attack were about $3.6 million. Peckshiled noted that dForce lost about 1,236.65 ETH and 719,437 USX live from the Arbitrum second layer protocol.
PeckShield also highlighted that about 1,037,492 USDC stolen was at @optimismFND. Reports state that “their initial analysis showed that the root cause was an oracle price issue.” Total losses are approximately $1.91 million in Arbitrum and $1.73 million in Optimism.
How did the hack happen?
The reentry bug was present in a smart contract function used by dForce to calculate oracle prices on Arbitrum and Optimism when connected to Curve Finance. The custom function known as “get_virtual_price” is a command that gives an estimated oracle price and can be called by any protocol when connected to Curve. It is used to calculate the price of the liquidity pool token.
BlockSec’s director of security services, Matthew Jiang, said that all protocols are vulnerable, including dForce, which uses the “get_virtual_price” function to calculate oracle prices. He added that the problem was known to everyone and Curve did not affect him. Still, projects need to be more careful and take additional steps when estimating oracle prices, as they can be manipulated by malicious actors to perform reentry attacks.
cryptocoin.com Another high-profile hack occurred on Trust Wallet, a hot-storage method that received praise from Binance CEO Changpeng Zhao.
Contact us to be instantly informed about the last minute developments. twitter‘in, Facebookin and InstagramFollow and Telegram And YouTube join our channel!
Risk Disclosure: The articles and articles on Kriptokoin.com do not constitute investment advice. Bitcoin and cryptocurrencies are high-risk assets, and you should do your due diligence and do your own research before investing in these currencies. You can lose some or all of your money by investing in Bitcoin and cryptocurrencies. Remember that your transfers and transactions are at your own risk and any losses that may occur are your responsibility. Cryptokoin.com does not recommend buying or selling any cryptocurrencies or digital assets, nor is Kriptokoin.com an investment advisor. For this reason, Kriptokoin.com and the authors of the articles on the site cannot be held responsible for your investment decisions. Readers should do their own research before taking any action regarding the company, assets or services in this article.
Disclaimer: Advertisements on Kriptokoin.com are carried out through third-party advertising channels. In addition, Kriptokoin.com also includes sponsored articles and press releases on its site. For this reason, advertising links directed from Kriptokoin.com are on the site completely independent of Kriptokoin.com’s approval, and visits and pop-ups directed by advertising links are the responsibility of the user. The advertisements on Kriptokoin.com and the pages directed by the links in the sponsored articles do not bind Kriptokoin.com in any way.
Warning: Citing the news content of Kriptokoin.com and quoting by giving a link is subject to the permission of Kriptokoin.com. No content on the site can be copied, reproduced or published on any platform without permission. Legal action will be taken against those who use the code, design, text, graphics and all other content of Kriptokoin.com in violation of intellectual property law and relevant legislation.