Dough Finance has suffered a significant flash loan attack, resulting in a loss of approximately $1.8 million in digital assets. This incident, detected on July 12 by the Web3 security firm Cyvers, involved the exploitation of a vulnerability in the platform’s “ConnectorDeleverageParaswap” smart contract. The contract, intended to facilitate transactions, inadequately validated call data during flash loan operations, enabling the attacker to manipulate transaction details and unlawfully transfer 608 ETH, valued around $1.8 million at the time.
The stolen funds, initially in USD Coin (USDC), were quickly converted into ETH using the zero-knowledge protocol Railgun, complicating recovery efforts. Users with deposits in the affected contract are primarily impacted. While other DeFi lending pools, such as Aave, were not affected, this incident highlights the ongoing vulnerabilities of smart contracts within the decentralized finance ecosystem.
Security experts, including Olympix, have advised users to withdraw their funds to secure wallets and to avoid interacting with Dough Finance until the platform provides clear safety guidance.
🚨🚨#OlympixAlert
Attention @DoughFinance Users: Exploit Alert!
Dough Finance has been exploited for roughly ~$1.8 million in USDC! Here’s a breakdown based on available information:
❓What Happened?
The exploit originated from unvalidated calldata within the…
— Olympix (@Olympix_ai) July 12, 2024
This attack adds to a troubling trend of security breaches in the cryptocurrency sector in 2024. A recent report by CertiK indicates that on-chain attacks have led to losses surpassing $1.19 billion in the first half of the year, with phishing schemes and private key compromises being significant contributors.