DeFi protocol Dough Finance mining nets $1.96 million

Another DeFi protocol fell victim to an exploit Friday morning. Dough Finance, an open-source protocol for creating non-custodial liquidity markets, suffered a flash loan attack that took nearly $2 million in user funds. The project team said it is working to resolve the situation quickly.

Dough Finance Protocol Loses $1.96 Million

On July 12, online reports of Dough Finance’s activity were exposed. Web3 blockchain security platform Cyvers informed reported to us that it had detected several suspicious transactions involving the DeFi protocol.

According to the report, the hacker manipulated Dough Finance’s smart contract and stole $1.8 million in USDC. The attacker, funded via the zero-knowledge (ZK) protocol Railgun, exchanged the stolen funds for Ethereum (ETH), initially obtaining 608 ETH.

Olympix, Web3 security provider, revealed that the exploit occurred due to “call data in the ConnectorDeleverageParaswap contract”. Apparently, the contract did not properly verify flash loan call data.

The unvalidated call data allowed the operator to manipulate contract data and send the funds to an externally held account (EAO). Following initial reports, a second batch of attacks occurred.

Dough Finance's funds flow after the exploit. Source: Breadcrumbs.app on X

These attacks resulted in the loss of an additional $141,000 in USDC, bringing the total cryptocurrency theft to $1.96 million. However, Cyvers confirmed that pools on the Aave lending protocol were not affected.

Scammers Target DeFi Projects

After initial reports, the DeFi protocol acknowledged the attack and urged users to withdraw their remaining funds from the protocol. Later, Dough Finance announcement he had identified and closed the exploit.

The project confirmed that “a few early Dough DeFi Smart Accounts (DSAs)” fell victim to a sophisticated scheme exploitAdditionally, the message assured that the Dough Finance team is actively working to resolve the incident, recover funds and compensate investors.

Online reports revealed that the team had contacted the operator. In an on-chain message, the Defi protocol informed the operator that it had contacted the relevant authorities.

The team's on-chain message to the exploiter. Source: Evgenii on X

The team also offered to discuss a bounty if the attacker had “exploited this vulnerability as a white hat or grey hat,” and attached the address where the funds should be directly transferred.

The operator has until Monday, July 15, 2024 at 23:00 UTC to contact the DeFi protocol. According to the message, if the team does not receive a response, it will “assume that you appropriated the funds with unlawful intent and will pursue all available criminal, legal, and administrative avenues” to recover the misappropriated funds.

Scammers Cryptocurrencies have been heavily targeted in the sector. This week, several DeFi projects, including Compound Finance, were compromised by a phishing attack. Apparently, the projects were victims of a DNS domain attack that redirected users to a fake website.

The copycat website was a money-grabbing tool that could drain users’ funds if they interacted with it. Hence, the project teams urged customers not to interact with the websites until further notice.

Ethereum is trading at $3,126 on the three-day chart. Source: ETHUSDT on TradingView

Featured image from Unsplash.com, chart from TradingView.com

Fuente