Dough Finance loses $1.8M in flash loan attack
“The contract didn't properly check the data it received during flash loan calls, allowing the attacker to manipulate it for their benefit.”
Decentralized finance (DeFi) protocol Dough Finance lost $1.8 million in digital assets after a flash loan attack on the protocol.
On July 12, Web3 security firm Cyvers flagged that they had detected multiple suspicious transactions. The company communicated with lending protocol Aave to check if pools were affected. However, the security firm confirmed that pools within Aave were safe.
Despite this, Dough Finance suffered the brunt of the attack. According to Cyvers, the attacker was funded through the zero-knowledge (ZK) protocol Railgun and swapped the stolen USD Coin. The attacker got a total of 608 ETH, worth about $1.8 million.
Hacker manipulates smart contract
Web3 security provider Olympix highlighted that the exploit was due to unvalidated calldata within the "ConnectorDeleverageParaswap" contract. The firm explained:
“The contract didn't properly check the data it received during flash loan calls, allowing the attacker to manipulate it for their benefit.”
Because of this, the attacker was able to manipulate the data and steal the funds.
Olympix said those who deposited funds in the DeFi protocol’s exploited contract might be impacted. However, the security provider noted that the hack did not impact Aave pools.
The security provider also advised Dough Finance users to consider withdrawing their funds to a secure wallet. Furthermore, they urged users to monitor announcements from the Dough Finance team and avoid interacting with the protocol until the situation is resolved.
