Dough Finance Hit by $1.96 Million Flash Loan Exploit, Hackers Swap USDC to Ethereum

• Dough Finance, a DeFi protocol, suffered a significant exploit on Friday, resulting in substantial financial losses.
• The exploited funds were funneled through Railgun’s zero-knowledge protocol and later converted to Ethereum.
• In response, Dough Finance is actively working on mitigating the damage and recovering the stolen assets.

A flash loan exploit has cost Dough Finance nearly $2 million, highlighting ongoing security vulnerabilities within decentralized finance.

Significant Losses for Dough Finance Following Flash Loan Attack

On the morning of July 12, Dough Finance became the latest DeFi casualty when it was targeted by a flash loan attack, leading to a loss of around $2 million. This incident was first identified by Cyvers, a prominent Web3 blockchain security firm, which flagged numerous suspicious transactions associated with the protocol.

Details of the Attack and Financial Impact

Reports by Cyvers detail how the hacker exploited a vulnerability within Dough Finance’s smart contract, specifically manipulating it to siphon off $1.8 million in USDC. The stolen funds were then converted into Ethereum, realizing approximately 608 ETH initially. Olympix, another Web3 security entity, attributed the attack to flaws in the ConnectorDeleverageParaswap contract, which lacked thorough validation of flash loan calls.

Secondary Exploits and Ongoing Security Risks

After the initial loss, further attacks ensued, resulting in an additional $141,000 being stolen, thus totaling the loss to $1.96 million. Despite the severity of these breaches, Cyvers confirmed that the pools of Aave, another lending protocol, were not compromised in these attacks.

Community and Team Response

Following the events, Dough Finance promptly notified its users to withdraw their remaining funds to mitigate further losses and identified the loophole responsible for the exploit. The protocol’s team has also taken swift steps to close the vulnerability and is actively seeking ways to recover the stolen assets. The team communicated with the exploiter through an on-chain message, offering to discuss a potential bounty if the funds are returned, stressing that failure to comply would result in legal action.

Broader Implications for DeFi Security

This incident with Dough Finance is part of a broader pattern of increasing security challenges faced by DeFi projects. Notably, even reputable projects like Compound Finance have recently fallen victim to phishing attacks that leveraged DNS domain compromises, redirecting users to malicious clone sites designed to drain their funds.

Conclusion

These incidents underscore the pressing need for enhanced security measures within the DeFi ecosystem. As Dough Finance takes steps to address the aftermath of the exploit, this situation serves as a critical reminder for investors and developers alike to prioritize robust security protocols and vigilance against potential threats.