Back to all stories
Blogs
Incident Analysis
Dough Finance Incident Analysis
7/16/2024
Dough Finance Incident Analysis

Incident Summary

On 12 July 2024, Dough Finance was exploited for ~$2.1m via multiple flash loan transactions. The attacker exploited arbitrary call vulnerabilities in the Dough ConnectorDeleverageParaswap contracts which allowed them to transfer WETH directly from these vulnerable contracts. A second wallet belonging to a white hat returned 69.12 ETH to the project.

Dough 1

The project attempted to negotiate with the attacker though by 13 July 600 ETH had been deposited into into Tornado Cash.

4baf997c-fdc2-4d3c-ba65-fd706063124d

Exploit Transactions

Txn1 | Txn2 | Txn3 | Txn4 | Txn5 | Txn6 | Txn7 | Txn8

Attack Flow

Addresses

  • Vulnerable Contract Address: 0x9f54e8eaa9658316bb8006e03fff1cb191aafbe6
  • Victim Contracts (DoughDsa):
    • 0x534a3bb1ecb886ce9e7632e33d97bf22f838d085
    • 0x53d2D9D2b36d2784D80297E6532e3BD965435021
    • 0x0d2b0c59D6a51eAE239A6C6eE29cFE73b79cC35b
    • 0x8f690502964348acbab0E3E3E81192A582715d89
    • 0xC581d6Ef24146f745d5Bc014cc114C8F0CA74783
    • 0x460fDebe3D0B26e9DC194De80B3111b369B29272
    • 0x3e9F59f371dB249F2D95cf1E6F5224Ff1D7328Ab
    • 0x52F0b1B251FCa6f2b1191803a0aA4d9f4dB6F924
  • Attacker Wallet Address: 0x67104175fc5fabbdb5A1876c3914e04B94c71741
  • Attack contract: 0x11A8DC866C5d03ff06bb74565b6575537B215978

Step by Step

The following attack flow is based on transaction hash 0x92cdcc732eebf47200ea56123716e337f6ef7d5ad714a2295794fdc6031ebb2e.

  1. The attacker initiated a flash loan of 938,566 then called AAVE: Pool V3.repay() and used the flash loan to repay 938,566 USDC debt on behalf of 0x534a

Dough 3

  1. The attacker then called the 'flashloanReq()' function from the ConnectorDeleverageParaswap contract. The attacker constructed the ‘calldata’ which is parsed into two parts and passed as multiTokenSwapData[] into the ‘deloopInOneOrMultipleTransactions()’ function, then to ‘deloopAllCollaterals()’.

Dough 2

The ‘deloop' feature introduced in the Dough protocol is designed to help users unwind leveraged positions. This deloop operation, specifically the first iteration of the for loop in 'deloopAllCollaterals()', increases USDC collateral by a small amount then withdraws WETH by invoking the 'AaveAction’ contract.

Screenshot 2024-07-17 at 11.12.47

Since the attacker had settled all USDC debt for 0x534a in step 1, the attacker was able to manipulate victim contract 0x534a to withdraw all of its WETH collateral.

Dough 5

  1. Subsequently, the ConnectorDeleverageParaswap contract began to process the second segment of paraswapCallData input crafted by the attacker which targeted the WETH (in dark red below) contract and specified 'transferFrom()' as the method to be called.

Dough 7

The ConnectorDeleverageParaswap did not validate the calldata and called it directly, resulting in the 596.844648055377423623 WETH (in red above) withdrawn from victim 0x534a being transferred to the attacker's address (in blue above) via transferFrom().

Dough 6

  1. After swapping the WETH to USDC and repaying the initial flash loan the attacker was left with approximately $830k USDC. The attacker repeated the process on a further 7 DoughDSA contracts gaining a total of 1.8m USDC which was swapped for WETH and sent to 0x346.

Dough 8

Fund Flow

Despite the project reaching out, on 12 July, EOA 0x34611f6BBB0a5f6F8Eb48146F4474BFf842Ae893 sent 108 ETH to EOA 0x932e71261BA289c5bCf197C0A7EaBfe69D145488 before sending 100 ETH to Tornado Cash. The next day, on 13 July, 500 ETH was sent from 0x346 to Tornado Cash.

Dough 9 *Image: Dough Finance attacker money flow using SkyTrace Source: SkyInsights by CertiK *

Dough Finance were able to recover a small portion of funds with white hat EOA 0xcDd9E99dA30f790b9A73fAB23581000aC7753F76 returning 69.12 ETH, whilst MEV bot c0ffeebabe.eth, known for returning exploited funds, also returned 7.05 ETH to Dough's recovery wallet 0xf788c7eA6212A9674a4cA9B269a3F4B3F6Aae984.

Vulnerability

Dough 10

The ‘deloop' feature introduced in the Dough protocol helps the user to unwind a leveraged position. To do so, the ConnectorDeleverageParaswap needs to make external calls to interact with other DeFi projects, such as AAVE, during this process the calldata should be checked.

The root cause of the incident was the lack of calldata validation in all the functions involved in Dough ConnectorDeleverageParaswap call chain involving deloop:

  • executeOperation()
    • deloopInOneOrMultipleTransactions()
      • deloopAllCollaterals()
        • → flashloanVars.paraSwapContract.call()

Dough 11

Dough 12

Dough 13

This allowed exploiter to make arbitrary call from ConnectorDeleverageParaswap contract and effectively control user’s assets entrusted to it.

The Stats

So far in 2024, we have recorded 46 incidents involving flash loans, representing losses of over $84m. During the same period in 2023 there were 117 flash loan exploits with losses of over $247m.

Dough 14

Dough 15

To keep up to date on the latest incident alerts and statistics follow @certikalert on X.