DeFi Protocol Dough Finance Hit by $1.8M Flash Loan Attack

Decentralized finance (DeFi) protocol Dough Finance was victim to a flash loan attack on July 12, resulting in a loss of $1.8 million in digital assets. 

🚨ALERT🚨Our system has detected multiple suspicious transactions involving @DoughFina. After communicating with the #AAVE team, we can confirm that #AAVE pools are NOT affected.

The attacker was funded through #Railgun and has swapped all stolen $USDC into $ETH, resulting in a… pic.twitter.com/WchJeU5S0e

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 12, 2024

Anatomy of the Attack: Smart Contract Vulnerability Exposed

Web3 security firm Cyvers first detected suspicious transactions and alerted lending protocol Aave to check for potential impacts. While Aave’s pools remained unaffected, Dough Finance bore the brunt of the attack.

The attacker, funded through the zero-knowledge protocol Railgun, exploited a vulnerability in Dough Finance’s “ConnectorDeleverageParaswap” smart contract.

Security provider Olympix explained that the contract failed to properly validate call data during flash loan calls, allowing the attacker to manipulate it for personal gain. The hacker successfully swapped stolen USD Coin (USDC) for 608 Ether (ETH), worth approximately $1.8 million.

This incident adds to the growing list of security breaches in the crypto industry. CertiK’s recent security report revealed that on-chain incidents have already resulted in $1.19 billion in losses during the first half of 2024.

Phishing attacks and private key compromises accounted for the majority of these losses, with $500 million and $409 million, respectively.

In response to the attack, security experts have advised Dough Finance users to consider withdrawing their funds to secure wallets and to avoid interacting with the protocol until the situation is resolved.

Also Read: Peter Schiff Slams Bitcoin as Fraudulent Investment