DForce protocol drained of $3.6 million in reentrancy attack

A hacker siphoned more than $3.6 million from the decentralized finance (DeFi) protocol dForce in what appears to be a reentrancy attack on a Curve vault it operated on the Arbitrum and Optimism blockchains.

The DeFi project confirmed the incident in a Twitter post, adding that it has paused its contracts to prevent further damage.

The attack was seemingly enabled by a reentrancy vulnerability, which can occur when an attacker repeatedly invokes a smart contract function and extracts assets from it before the contract updates its internal state. This can happen when there is a bug in the smart contract code or a lack of proper security measures.

"On Feb. 10, our wstETH/ETH Curve vaults on Arbitrum and Optimism were exploited and we immediately paused all vaults. The vulnerability is identified, and the exploit was specific to dForce's wstETH/ETH-Curve vault," the team noted.

According to two leading crypto security firms, BlockSec and PeckShield, total losses from the attack were about $3.6 million. The reentrancy bug was present in a smart contract function used by dForce to calculate oracle prices on the Arbitrum and Optimism chains when connected to Curve Finance. The specific function, known as "get_virtual_price," is a command that gives an estimated oracle price and can be invoked by any protocol when connected to Curve. It is used to calculate the price of the liquidity pool token.

Matthew Jiang, director of security services at BlockSec, told The Block that any protocol using the "get_virtual_price" function to calculate the price oracle is vulnerable, including dForce. He added that the issue is publicly known and does not impact Curve itself. Still, projects need to be more cautious and take additional steps while estimating oracle prices, as they can be manipulated by malicious actors to carry out reentrancy attacks.