DFX Finance, a decentralized exchange protocol for fiat-pegged stablecoins which raised a $5 million seed round led by Polychain Capital and True Ventures last year, has reportedly experienced a pool hack.
An unknown attacker reportedly stole approximately $7.5 million from DFX, according to estimates from security researchers at BlockSec.
The DFX Finance team also acknowledged the security mishap on their Twitter page and stated it had paused all of its smart contracts to control the situation:
1) Today we were notified about suspicious activity happening in the #DFX contracts. The attack started at Nov-10-2022 07:21:59 PM +UTC originating from wallet 0x14c19962e4a899f29b3dd9ff52ebfb5e4cb9a067.
— DFX Finance (@DFXFinance) November 11, 2022
According to DFX, “We were notified of the suspicious activity within 20-30 mins of the first transaction and executed a pause on all DFX contracts within a few minutes after confirming the attack.”
The hack was reportedly due to a lack of proper protection against re-entrancy, and the stolen funds are being deposited into Tornado Cash by the unknown attacker who took advantage of an insecure flash-loan mechanism–which allows large amounts of crypto to be borrowed with no collateral, as long as the funds are paid back in the same transaction– that DFX Finance offers on the Ethereum blockchain.
Of the $7.5 million stolen, however, the attacker could only transfer $4.3 million worth of assets into their wallet. The remaining portion–about $3.2 million– was extracted by an MEV bot in a front-running transaction, also called a sandwich attack.
The bot-extracted funds sit in an address controlled by the bot operator and can be recovered only if the operator agrees. DFX Finance has already asked the operator to return the extracted funds.
During the attack, the attacker borrowed stablecoins within DFX Finance and then deposited them back into DFX’s liquidity pools with an “insecure callback function” that bypassed its flash-loan checks. After the flash loan, the attacker still had liquidity pool tokens in possession and eventually sold them off.
The attacker stole and took control of over $7.5 million of DFX’s liquidity pool tokens using multiple flash loans.
Flash loans being the leeway for this hack is unfortunate because they are ideally meant for arbitrage trading and improving capital efficiency, but hackers have started abusing their vulnerabilities to sneak into protocols like DFX and cart away with huge funds.
Some security analysts have reacted, saying that liquidity-pool deposits should have been disabled because it tricked the protocol into believing the funds had been returned and were secure.
If you would like to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, and Instagram.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
