Curve Conundrum: The dForce Attack via a Read-Only Reentrancy Vector Exploit

리서치 사고 분석
Curve Conundrum: The dForce Attack via a Read-Only Reentrancy Vector Exploit

Project name: dForce

Project type: Lending

Date of exploit: Feb 9, 2023

Asset loss: $3.7M

Vulnerability: Price manipulation (Read-only Reentrancy)

Date of audit report publishing: Feb 21, 2021

Conclusion: Out of Audit Scope

Details of the Exploit

Background

dForce is a DeFi project providing services including stablecoin, lending, trading, and governance. In the dForce lending protocol, the amount of tokens a user can borrow depends on the value of their collaterals, which is calculated using external price Oracles. In this exploit, the external price Oracle is a Curve protocol.

Nature of the Vulnerability

  • A manipulated asset price incorrectly calculates the attacker's collateral value, so the attacker can borrow more than its collateral to drain the vault.
  • The asset price is provided by a Curve protocol, which has a read-only reentrancy issue in its implementation.
  • The attacker manipulated the token price by triggering external calls to update its collateral in dForce's lending protocol in the process of withdrawing liquidity from the Curve pool.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.47.56 AM

Screenshot 2024-01-08 at 5.49.26 AM

Conclusion

On Feb 9, 2023, dForce's lending protocol was attacked, leading to a loss of $3.7M. The attacker made use of a read-only reentrancy vector to manipulate the price in the lending protocol to drain funds from the pool. The vulnerability lies in the dependency on the Curve protocol, which was used as price Oracles in dForce's lending protocol, and has been widely recognized by the community. The dependency on the Curve protocol is not in CertiK's audit scope.

References

dForce's announcement: https://twitter.com/dForcenet/status/1623904209161830401

관련 블로그

CertiK Hack3D: H1 2026 Report
새로운 · 리서치 ·보안 보고서

CertiK Hack3D: H1 2026 Report

Web3 security losses exceeded $1.31 billion in H1 2026 across 344 incidents, with wallet compromise emerging as the most financially destructive attack vector and phishing shifting toward fewer, higher-value social engineering attacks.

GnosisPay Incident Analysis

GnosisPay Incident Analysis

On 01 June 2026 an attacker drained dozens of GnosisPay Safes on Gnosis Chain. The attack vector was a signature-verification flaw in the GnosisPay Delay module.

Top Crypto Security Vectors to Look Out For in 2026

Top Crypto Security Vectors to Look Out For in 2026

2026 represents a critical juncture in the security of digital assets. As the crypto ecosystem continues to institutionalize, threats are evolving, driven by the industrialization of artificial intelligence and the emergence of new vulnerabilities.