dForce loses $3.65 million in a hack attack, reports show
dForce network just recently suffered a severe hack attack with losses exceeding about $3.65 million, according to reports.
Peckshield alerts of hack on dForce
After recording many attacks in 2022, the crypto space started 2023 with a similar tune. Earlier on Feb. 10, PeckShield alerted to a hack attack on dForce net, estimating that the losses amounted to about $3.65 million.
Peckshield highlighted that the funds were stolen across two layers: Arbitrum and Optimism. According to a tweet posted by PeckShield, the losses reported were connected to three different crypto assets. For instance, Peckshiled noted that dForce lost about 1,236.65 ETH and 719,437 USX live from the Arbitrum layer two protocol.
Furthermore, the PeckShield network also highlighted that about 1,037,492 USDC stolen were on @optimismFND). The reports indicate that their “initial analysis shows the root cause is an oracle price issue.” The total loss is around $1.91 million on Arbitrum and $1.73 million on Optimism.
In the tweet, PeckShield asked dForce to look into the exploit. Close to an hour later, dForce confirmed the attack as first reported by PeckShield. The network noted that the Curve gauge vaults of wstETH/ETH on Arbitrum & Optimism were exploited recently.
dForce noted that they identified the issues a few hours before and immediately paused the dForce vaults to contain the situation. However, they noted that many other parts of this protocol remain in operation, and the funds are safely held in dForce Lending. However, dForce didn’t mention all the details concerning the attack at the time of posting. They promised to release a detailed report highlighting the remedies soon.
Others identified the hack
Peckshield also noted that one of its community contributors, @ZoomerAnon, also noticed the problem with the dForce flash loan exploit.
According to another blockchain security network BlockSec, the leading cause of this recent problem is a read-only reentrancy attack around the curve pool. BlockSec noted that price oracle leveraged by dForce’s lending protocol is easily manipulatable by attackers. Once the attacker manipulates the oracle, they can liquidate positions at favorable prices and make profits.
Some of the dForce community members had complaints of their own. They noted that dForce had a low bug bounty paid in their own DF token. This was not enough “for a blackhat to turn whitehat.”