Decentralized Finance protocol Dough Finance experienced a flash loan exploit that resulted in losing $1.8 million in digital assets.
Cyvers, a security firm that operates on the Web3, reported on July 12 that they had identified numerous suspicious transactions. The organization corresponded with lending protocol Aave to determine whether pools were affected. Nevertheless, the security firm verified that the pools at Aave were secure.
Nevertheless, Dough Finance was the most severely affected by the attack. The perpetrator was funded through the zero-knowledge (ZK) protocol Railgun, according to Cyvers, and exchanged the stolen USD Coin for Ether. The perpetrator obtained a total of 608 ETH, approximately $1.8 million.
Smart Contract Manipulation
Olympix, a provider of web3 security, emphasized that the exploit resulted from unvalidated calldata in the “ConnectorDeleverageParaswap” contract. The organization elaborated:
“The contract didn’t properly check the data it received during flash loan calls, allowing the attacker to manipulate it for their benefit.”
As a result, the attacker was able to manipulate the data and steal the funds.
According to Olympix, the exploited contract of the DeFi protocol may affect those who deposit funds. Nevertheless, the security provider observed that the breach did not affect Aave pools.
The security provider also recommended that Dough Finance users withdraw their funds to a secure wallet. Additionally, they advised users to refrain from engaging with the protocol until the situation is resolved and to monitor announcements from the Dough Finance team.
Over $1B loss due to Exploit in 2024
Although the Dough Finance breach resulted in nearly $2 million in losses, the crypto space had already experienced over $1 billion in digital asset losses due to numerous incidents.
CertiK, a blockchain security company, released its security report on July 3, which indicated that losses resulting from on-chain incidents had already exceeded $1.19 billion in the first half of 2024. Phishing attacks and private key compromises were responsible for most of the losses.
Phishing attacks resulted in losses of nearly $500 million for the space sector, while private key compromises resulted in losses of nearly $409 million, according to CertiK.
Ronghui Gu, the co-founder of CertiK, emphasized the necessity of incorporating multifactor authentication methods, including security tokens and two-factor authentication (2FA).
