Polychain-backed DFX Finance hacked for $7.5 million

Quick Take

  • A hacker siphoned over $7.5 million from stablecoin exchange DFX Finance.
  • The attacker took advantage of an insecure flash-loan mechanism.

DFX Finance, a decentralized exchange protocol for fiat-pegged stablecoins, reported that it was attacked at 2:21 pm ET. An unknown attacker siphoned approximately $7.5 million from DFX, according to estimates from security researchers at BlockSec.

The DFX Finance team acknowledged the security exploit and said it has paused all of its smart contracts to contain the issue. “We were notified of the suspicious activity within 20-30 mins of the first transaction and executed a pause on all DFX contracts within a few minutes after confirming the attack,” it said.

The incident appears to be a flash-loan-enabled attack that let the hacker make a malicious withdrawal from DFX. Of the $7.5 million in stolen assets, the attacker could only transfer $4.3 million worth of assets into their wallet — including 2963 ether ($3.8 million) and some $500,000 in stablecoins.

The remaining portion of the stolen assets — about $3.2 million — was extracted by an MEV bot in a front-running transaction, also called a sandwich attack. The bot-extracted funds sit in an address controlled by the bot operator and can be recovered if the operator is willing. DFX Finance has already asked the operator to return them.

The attack vector

The attacker took advantage of an insecure flash-loan mechanism offered by DFX Finance on the Ethereum blockchain. A flash loan is a feature in which a large amount of cryptocurrency can be borrowed with no collateral, only if those funds are returned in the same transaction.

During the attack, the attacker borrowed stablecoins within DFX Finance and then deposited them back into DFX’s liquidity pools with an “insecure callback function” that bypassed its flash-loan checks. After the flash loan, the attacker still had liquidity pool tokens in possession, which they sold off. 

The attack drained DFX’s liquidity pool tokens via multiple flash loans to take control of over $7.5 million. Security analysts at BlockSec say liquidity-pool deposits should not have been allowed, as it tricked the protocol into believing the funds have been returned and were secure. 

“When a user borrows money, the protocol should not allow any function calls that can change the balance of the DFX protocol,” BlockSec CEO Yajin Zhou told The Block.

While flash loans are meant for arbitrage trading and improving capital efficiency, hackers have regularly abused them to exploit certain vulnerabilities.

Last year, DFX Finance raised a $5 million seed round led by Polychain Capital and True Ventures.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.