Cryptocurrency platform loses BRL 19 million in second hacker attack

dForce, a decentralized finance platform (DeFi), lost $3.65 million in a hacker attack, the company’s second invasion.

The DeFi platform is known for offering trading and lending services to investors on seven different blockchains, including Ethereum, Binance Chain, Optimism, and Avalanche.

The attack was spotted by Twitter user @ZoomerAnon and later confirmed by blockchain security firm PeckShield. the hacker exploited a re-entry vulnerability present in a smart contract function used by dForce to get oracle prices.

second hack

Security company Peckshield emphasized that funds were stolen in two tiers: Arbitrum and Optimism. According to a tweet from PeckShield, the reported losses were related to three different cryptos, specifically 1,236.65 ETH and 719,437 USX.

PeckShield also highlighted that there was about 1,037,492 stolen USDC in @optimismFND. Reports indicate that their initial analysis shows that the root cause is an oracle pricing issue. The total loss is about $1.91 million on Arbitrum and $1.73 million on Optimism.

According to another blockchain security company, BlockSec, the main cause of the recent problem is a read-only re-entry attack around the curve pool. BlockSec noted that the price oracle used by the dForce lending protocol can be easily manipulated by attackers.

A re-entry attack occurs when a hacker exploits a flaw in a smart contract and repeatedly withdraws funds transferred to an unauthorized contract.

Once the attacker manipulates the oracle, he can liquidate positions at favorable prices and make a profit.

Company is requesting a refund

The latest attack raises questions about the security and robustness of DeFi platforms, which are becoming increasingly popular with investors. While dForce has confirmed the attack, it remains to be seen whether affected users will be compensated.

dForce is expected to provide more information on the measures it is taking to protect its users’ funds and patch the vulnerability exploited by the hacker.

When dForce learned of the attack, officials suspended the operation of all smart contracts to prevent the theft of other digital assets. According to platform representatives, as a result of the hacker’s actions, the platform incurred a debt of US$2.З million, but service customers were not affected.

The dForce team sent a message to the hacker using a transaction on the Arbitrum network, saying they supposedly discovered his IP address and other personal information, then asked him to voluntarily return the stolen coins in exchange for a reward. Otherwise, the information will be passed on to the authorities.

“We have reached out to security company @SlowMist_team and our ecosystem partners to investigate the matter and would like to offer the explorer a reward if the money is returned. Stay tuned for more updates,” dForce said.

The new attack on dForce comes two years after the protocol lost $25 million in a major attack on the protocol. However, the attacker returned almost all of the stolen money.

While the recent attack stole a smaller amount of money, it is the latest in a long line of attacks targeting the DeFi ecosystem, one of the fastest growing ecosystems in the industry.

According to a report published by TRM Labs, more than $3.7 billion was lost due to cryptocurrency hacks in 2022, with more than 80% of those going through DeFi protocols.

Source: Live Coins

follow:
\