CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
Curve Conundrum: The dForce Attack via a Read-Only Reentrancy Vector Exploit
1/8/2024
Curve Conundrum: The dForce Attack via a Read-Only Reentrancy Vector Exploit

Project name: dForce

Project type: Lending

Date of exploit: Feb 9, 2023

Asset loss: $3.7M

Vulnerability: Price manipulation (Read-only Reentrancy)

Date of audit report publishing: Feb 21, 2021

Conclusion: Out of Audit Scope

Details of the Exploit

Background

dForce is a DeFi project providing services including stablecoin, lending, trading, and governance. In the dForce lending protocol, the amount of tokens a user can borrow depends on the value of their collaterals, which is calculated using external price Oracles. In this exploit, the external price Oracle is a Curve protocol.

Nature of the Vulnerability

  • A manipulated asset price incorrectly calculates the attacker's collateral value, so the attacker can borrow more than its collateral to drain the vault.
  • The asset price is provided by a Curve protocol, which has a read-only reentrancy issue in its implementation.
  • The attacker manipulated the token price by triggering external calls to update its collateral in dForce's lending protocol in the process of withdrawing liquidity from the Curve pool.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.47.56 AM

Screenshot 2024-01-08 at 5.49.26 AM

Conclusion

On Feb 9, 2023, dForce's lending protocol was attacked, leading to a loss of $3.7M. The attacker made use of a read-only reentrancy vector to manipulate the price in the lending protocol to drain funds from the pool. The vulnerability lies in the dependency on the Curve protocol, which was used as price Oracles in dForce's lending protocol, and has been widely recognized by the community. The dependency on the Curve protocol is not in CertiK's audit scope.

References

dForce's announcement: https://twitter.com/dForcenet/status/1623904209161830401

Related Stories
Prisma Finance Incident Analysis
Blogs
Incident Analysis
On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.
3/29/2024
Concentric.Fi Incident Analysis
Blogs
Incident Analysis
On 22nd January, Concentric.fi was exploited leading to losses of over $1.85 million. The wallets that conducted the attack have been doxxed as the OKX exploiter. Concentric announced on X that their protocol was attacked due to a targeted social engineering attack leading to the compromise of one of their teams admin wallets. From there the attackers were able to upgrade Concentric vault contracts with a malicious implementation leading to losses in liquidity pools as well as users who had approved Concentric contracts.
1/23/2024
Socket Tech Incident Analysis
Blogs
Incident Analysis
On 16 January 2024, Socket Tech was exploited by EOA 0x50df for approximately $3.3 million. The attacker took advantage of a vulnerability within the performAction function of a newly deployed contract which has an incomplete user input validation. Users who had approved the vulnerable SocketGateway contract had their funds stolen stolen. From this attack there were 230 wallets that lost funds with the biggest victim losing $656k USDC.
1/18/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;