Decentralized finance (DeFi) protocol Dough Finance has lost $1.8 million in digital assets due to a flash loan attack.
Web3 security firm Cyvers detected the attack on July 12, the company said in a post on X.
Cyvers said that the firm reached out to lending protocol Aave to investigate potential impacts on its pools upon detecting multiple suspicious transactions.
“After communicating with the AAVE team, we can confirm that AAVE pools are NOT affected,” it wrote.
Attacker Uses Railgun to Execute Attack
The attacker used the zero-knowledge (ZK) protocol Railgun to execute the attack by swapping the stolen USD Coin for Ether, accumulating a total of 608 ETH valued at around $1.8 million.
Further analysis by Web3 security provider Olympix revealed that the exploit was a result of unvalidated calldata in the “ConnectorDeleverageParaswap” contract.
Olympix explained that the contract failed to properly check the received data during flash loan calls, allowing the attacker to manipulate it to their advantage and carry out the funds’ theft.
While the hack primarily affected users who deposited funds into the exploited contract of Dough Finance, Olympix clarified that the incident did not impact Aave pools.
To mitigate risks, the security provider advised affected users to withdraw their funds to a secure wallet and to refrain from interacting with the protocol until the situation is resolved.
#OlympixAlert
Attention @DoughFina Users: Exploit Alert!
Dough finance has been exploited for roughly ~$1.8 million in USDC! Here’s a breakdown of the situation based on available information:
What Happened?
The exploit stemmed from unvalidated calldata within the… pic.twitter.com/NBcCwsMl10
— Olympix (@Olympix_ai) July 12, 2024
It is worth noting that the Dough Finance attack is not an isolated incident in the crypto space.
According to a security report published by CertiK on July 3, the first half of 2024 witnessed losses of over $1 billion in digital assets due to various security incidents.
Phishing attacks and private key compromises were identified as the main culprits behind these losses, accounting for nearly $500 million and almost $409 million, respectively.
Crypto Market Recovers Over Half of Stolen Funds in Q2
The cryptocurrency market has shown great resilience in the face of adversity, achieving a record recovery rate of 77% for stolen funds in the second quarter of 2024.
In Q2 2024, $347.4 million of the stolen crypto funds were successfully recovered or frozen out of the total $512.9 million lost, according to Hacken’s Web3 Security Report Q2 2024.
“For the second consecutive quarter, the silver lining amid the alarming rate of theft in crypto is the amount of funds recovered,” the report wrote.
It is worth noting that cryptocurrency scams have thrived on X, with analysts attributing a significant portion of all crypto scams to scammers on the platform.
Scam Sniffer, a web3 anti-scam company present on X, conducted an analysis revealing that nearly $50 million is lost each month due to account impersonation on X.com.
Just recently, Binance co-founder Yi He raised concerns about the proliferation of cryptocurrency scams on X, questioning whether Musk would take action to tackle the issue.
The post Dough Finance Suffers $1.8 Million Loss in Flash Loan Attack appeared first on Cryptonews.