TL;DR#
On February 10, 2023, the DeFi aggregator dForce was attacked in Arbitrum and Optimism chains, with the attackers profiting by approximately $3.65 million.
Introduction to dForce#
dForce advocates the development of a comprehensive set of DeFi protocols spanning assets, lending, and trading to serve as Web3's DeFi infrastructure.
Vulnerability Assessment#
The root cause of the attack is due to the well-known read-only reentrancy in the Curve pool.
During the read-only reentrancy attack, a view function is reentered, which is often unprotected because it does not alter the state of the contract. Nonetheless, if the state is inconsistent, incorrect values may be reported. Other protocols that rely on a return value can be deceived into performing undesirable actions by reading the incorrect state.
Steps#
Step 1:
We took a closer look at the attack transactions on both Arbitrum, and Optimism.
Step 2:
The attacker used read-only reentrancy issue to manipulate the wstETHCRV-gauge asset in order to liquidate a number of positions within the wstETHCRV-guage as collateral.
Step 3:
The exploiter initially took a flash loan of 68,429 ETH and received 65,343 wstETHCRV. 1,904 wstETHCRV from here were then transferred to the attacker's contract.
Step 4:
The exploiter then deposited 1,904 wstETHCRV in order to receive 1,904 wstETHCRV-gauge, while also borrowing almost 2,080,000 USX.
Step 5:
They then removed 63,438 wstETHCRV in liquidity while receiving 62,125 ETH. The read-only reentrancy was then used to manipulate the wstETHCRV price, effectively liquidating the borrower collateral wstETHCRV.
Step 6:
The exploiter exchanged 2,924 wstETHCRV for 2,863 ETH, swapped 3,806 wstETH for 4,458 ETH, and repaid the flash loan for a profit of 1,236 ETH.
Step 7:
The loss amounts to approximately $1.91 million in Arbitrum chain and $1.73 million in Optimism.
Aftermath#
The team confirmed that the vaults had been compromised, at which point they promptly suspended the dForce Vaults while maintaining the integrity of the remaining protocol components.
Solution#
The recent breach of the DeFi aggregator, dForce, serves as a poignant reminder of the vulnerability of even the most sophisticated platforms, particularly in the rapidly evolving landscape of decentralized finance. The exploitation, which exploited a well-documented read-only reentrancy vulnerability in the Curve pool, culminated in a staggering loss of approximately $3.65 million across the Arbitrum and Optimism chains. Such a loss, beyond its immediate financial implications, further erodes trust in DeFi systems and emphasizes the indispensable need for robust security measures and safeguards.
Herein lies the critical role that Neptune Mutual could have played in mitigating the aftermath of such an exploit. If dForce Protocol had proactively established a dedicated cover pool with Neptune Mutual, the losses that individual users suffered could have been significantly cushioned. Our mission at Neptune Mutual is not merely about post-incident compensations but ensuring peace of mind for participants in the DeFi ecosystem. Our parametric policies are tailor-made to protect users against the adverse impacts of such smart contract vulnerabilities. The ease of claims without the convoluted need for loss evidence further emphasizes our user-centric approach. In the wake of such breaches, immediate respite is paramount, and our marketplace is designed to facilitate quick resolutions, especially on widely recognized chains like Ethereum and Arbitrum.
Moreover, our holistic approach to security transcends mere compensatory measures. Neptune Mutual takes pride in its comprehensive security evaluation, spanning multiple facets from DNS and web-based security assessments to intricate backend security reviews. In scenarios such as the dForce incident, our intrusion detection and prevention mechanisms could have provided critical alerts, potentially forestalling or minimizing the attack's impact.
Reference Sources dForce, PeckShield
