A reentrancy attack on the Arbitrum and Optimism chains caused a loss of $3.6 million for the DForce DeFi protocol.
In what seems to be a reentrancy assault on a Curve vault it maintained on the Arbitrum and Optimism blockchains, a hacker stole more than $3.6 million from the decentralized finance (DeFi) system dForce.
In a tweet, the DeFi project verified the occurrence and said that it had halted contracting to avoid additional harm.
The attack was apparently facilitated by a reentrancy flaw, which occurs when an attacker repeatedly calls a smart contract function and pulls assets from it before the contract refreshes its internal state. This may occur if there is a defect in the smart contract’s code or if adequate security measures are lacking.
“On February 10, our wstETH/ETH Curve vaults on Arbitrum and Optimism were compromised, prompting the suspension of all vaults. The weakness has been uncovered, and the attack was unique to the wstETH/ETH-Curve vault of dForce “The team observed.
According to two renowned crypto security businesses, BlockSec and PeckShield, the hack caused around $3.6 million in damages. A smart contract function used by dForce to determine oracle prices on the Arbitrum and Optimism chains when coupled to Curve Finance had the reentrancy flaw. The “get virtual price” function is a command that provides an estimated oracle price and may be called by any Curve-connected protocol. It is used to compute the liquidity pool token’s price.
Director of security services at BlockSec, Matthew Jiang, informed The Block that any protocol that uses the “get virtual price” function to determine the price oracle is susceptible, including dForce. He stated that the problem is public knowledge and has no effect on Curve. Nevertheless, projects must be extra careful and take additional precautions when evaluating oracle pricing, since they might be influenced by unwanted actors for reentrancy attacks.
Also Read: The Mississippi Senate adopts a measure to prevent discrimination against crypto miners