Back to all stories
Incident Analysis
Curve Conundrum: The dForce Attack via a Read-Only Reentrancy Vector Exploit
Curve Conundrum: The dForce Attack via a Read-Only Reentrancy Vector Exploit

Project name: dForce

Project type: Lending

Date of exploit: Feb 9, 2023

Asset loss: $3.7M

Vulnerability: Price manipulation (Read-only Reentrancy)

Date of audit report publishing: Feb 21, 2021

Conclusion: Out of Audit Scope

Details of the Exploit


dForce is a DeFi project providing services including stablecoin, lending, trading, and governance. In the dForce lending protocol, the amount of tokens a user can borrow depends on the value of their collaterals, which is calculated using external price Oracles. In this exploit, the external price Oracle is a Curve protocol.

Nature of the Vulnerability

  • A manipulated asset price incorrectly calculates the attacker's collateral value, so the attacker can borrow more than its collateral to drain the vault.
  • The asset price is provided by a Curve protocol, which has a read-only reentrancy issue in its implementation.
  • The attacker manipulated the token price by triggering external calls to update its collateral in dForce's lending protocol in the process of withdrawing liquidity from the Curve pool.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.47.56 AM

Screenshot 2024-01-08 at 5.49.26 AM


On Feb 9, 2023, dForce's lending protocol was attacked, leading to a loss of $3.7M. The attacker made use of a read-only reentrancy vector to manipulate the price in the lending protocol to drain funds from the pool. The vulnerability lies in the dependency on the Curve protocol, which was used as price Oracles in dForce's lending protocol, and has been widely recognized by the community. The dependency on the Curve protocol is not in CertiK's audit scope.


dForce's announcement: