On 12 July 2024, Dough Finance was exploited for ~$2.1m via multiple flash loan transactions. The attacker exploited arbitrary call vulnerabilities in the Dough ConnectorDeleverageParaswap contracts which allowed them to transfer WETH directly from these vulnerable contracts. A second wallet belonging to a white hat returned 69.12 ETH to the project.
The project attempted to negotiate with the attacker though by 13 July 600 ETH had been deposited into into Tornado Cash.
Txn1 | Txn2 | Txn3 | Txn4 | Txn5 | Txn6 | Txn7 | Txn8
The following attack flow is based on transaction hash 0x92cdcc732eebf47200ea56123716e337f6ef7d5ad714a2295794fdc6031ebb2e.
The ‘deloop' feature introduced in the Dough protocol is designed to help users unwind leveraged positions. This deloop operation, specifically the first iteration of the for loop in 'deloopAllCollaterals()', increases USDC collateral by a small amount then withdraws WETH by invoking the 'AaveAction’ contract.
Since the attacker had settled all USDC debt for 0x534a in step 1, the attacker was able to manipulate victim contract 0x534a to withdraw all of its WETH collateral.
The ConnectorDeleverageParaswap did not validate the calldata and called it directly, resulting in the 596.844648055377423623 WETH (in red above) withdrawn from victim 0x534a being transferred to the attacker's address (in blue above) via transferFrom().
Despite the project reaching out, on 12 July, EOA 0x34611f6BBB0a5f6F8Eb48146F4474BFf842Ae893 sent 108 ETH to EOA 0x932e71261BA289c5bCf197C0A7EaBfe69D145488 before sending 100 ETH to Tornado Cash. The next day, on 13 July, 500 ETH was sent from 0x346 to Tornado Cash.
*Image: Dough Finance attacker money flow using SkyTrace Source: SkyInsights by CertiK *
Dough Finance were able to recover a small portion of funds with white hat EOA 0xcDd9E99dA30f790b9A73fAB23581000aC7753F76 returning 69.12 ETH, whilst MEV bot c0ffeebabe.eth, known for returning exploited funds, also returned 7.05 ETH to Dough's recovery wallet 0xf788c7eA6212A9674a4cA9B269a3F4B3F6Aae984.
The ‘deloop' feature introduced in the Dough protocol helps the user to unwind a leveraged position. To do so, the ConnectorDeleverageParaswap needs to make external calls to interact with other DeFi projects, such as AAVE, during this process the calldata should be checked.
The root cause of the incident was the lack of calldata validation in all the functions involved in Dough ConnectorDeleverageParaswap call chain involving deloop:
This allowed exploiter to make arbitrary call from ConnectorDeleverageParaswap contract and effectively control user’s assets entrusted to it.
So far in 2024, we have recorded 46 incidents involving flash loans, representing losses of over $84m. During the same period in 2023 there were 117 flash loan exploits with losses of over $247m.
To keep up to date on the latest incident alerts and statistics follow @certikalert on X.