On Nov 10, 2022, DFX Finance's swapping contracts were attacked, leading to a loss of ~$5M.
At 8 PM UTC on Nov 10, 2022, DFX Finance's swapping contracts were attacked, leading to a loss of approximately $5M. The attacker took advantage of the vulnerable flashloan mechanism in the swapping contracts, bypassed the check of repaying the flashloan by depositing tokens to the contracts, and withdrew tokens from contracts after finishing the flashloan.
(35 * 100 + 2) ETH(Tornado cash) + ~550K()(remain) = ~5M DeBank | Your DeFi wallet
Exploiter: DeBank | Your DeFi wallet
Attacker Contract: [https://etherscan.io/address/0x6cfa86a352339e766ff1ca119c8c40824f41f22d#code
Decompiled code of 0x6cFa86a352339E766FF1cA119c8C40824f41F22D,](https://library.dedaub.com/contracts/Ethereum/6cFa86a352339E766FF1cA119c8C40824f41F22D/decompiled?line=1) a smart contract deployed on the Ethereum blockchain
One of the exploit txn: https://etherscan.io/tx/0x9ef031cfedd1bd8ad91d84418ee6110e5558276a338fc11892f0013d269f27f8
The vulnerability lies in the design issue where the contract does not take into consideration that the flashloaned tokens can be used for deposit and “repay” flashloan. Therefore, when calling flashloan, the contract needs to prevent other functions like “deposit()” function to increase the balance of the pool. A recommended solution is to add a reentrancy guardrail for all related functions.
At time of writing DFX had paused impacted protocols, but vulnerability remains.