Project name: dForce
Project type: Lending
Date of exploit: Feb 9, 2023
Asset loss: $3.7M
Vulnerability: Price manipulation (Read-only Reentrancy)
Date of audit report publishing: Feb 21, 2021
Conclusion: Out of Audit Scope
dForce is a DeFi project providing services including stablecoin, lending, trading, and governance. In the dForce lending protocol, the amount of tokens a user can borrow depends on the value of their collaterals, which is calculated using external price Oracles. In this exploit, the external price Oracle is a Curve protocol.
On Feb 9, 2023, dForce's lending protocol was attacked, leading to a loss of $3.7M. The attacker made use of a read-only reentrancy vector to manipulate the price in the lending protocol to drain funds from the pool. The vulnerability lies in the dependency on the Curve protocol, which was used as price Oracles in dForce's lending protocol, and has been widely recognized by the community. The dependency on the Curve protocol is not in CertiK's audit scope.
dForce's announcement: https://twitter.com/dForcenet/status/1623904209161830401