DForce protocol drained of $3.6 million in reentrancy attack

Quick Take

  • DForce DeFi protocol suffered a loss of $3.6 million in a reentrancy attack on the Arbitrum and Optimism chains.
  • The attack was a result of a vulnerability in a smart contract function used to calculate oracle prices when connected to Curve Finance.

A hacker siphoned more than $3.6 million from the decentralized finance (DeFi) protocol dForce in what appears to be a reentrancy attack on a Curve vault it operated on the Arbitrum and Optimism blockchains.

The DeFi project confirmed the incident in a Twitter post, adding that it has paused its contracts to prevent further damage.

The attack was seemingly enabled by a reentrancy vulnerability, which can occur when an attacker repeatedly invokes a smart contract function and extracts assets from it before the contract updates its internal state. This can happen when there is a bug in the smart contract code or a lack of proper security measures.

"On Feb. 10, our wstETH/ETH Curve vaults on Arbitrum and Optimism were exploited and we immediately paused all vaults. The vulnerability is identified, and the exploit was specific to dForce's wstETH/ETH-Curve vault," the team noted.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

According to two leading crypto security firms, BlockSec and PeckShield, total losses from the attack were about $3.6 million. The reentrancy bug was present in a smart contract function used by dForce to calculate oracle prices on the Arbitrum and Optimism chains when connected to Curve Finance. The specific function, known as "get_virtual_price," is a command that gives an estimated oracle price and can be invoked by any protocol when connected to Curve. It is used to calculate the price of the liquidity pool token.

Matthew Jiang, director of security services at BlockSec, told The Block that any protocol using the "get_virtual_price" function to calculate the price oracle is vulnerable, including dForce. He added that the issue is publicly known and does not impact Curve itself. Still, projects need to be more cautious and take additional steps while estimating oracle prices, as they can be manipulated by malicious actors to carry out reentrancy attacks.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Mike Millard at
[email protected]