Decoding DFX Finance Exploit | QuillAudits

Summary:

On the 10th of November 2022, DFX Finance was attacked. The attacker used a flash loan to attack the DFX’s contract and gained more than $7 Million. This attack was possible because the flash function lacked reentrancy protection.

Introduction to DFX Finance:

DFX is an Ethereum-based decentralized exchange protocol with a dynamically tuned bonding curve optimized for fiat-backed stablecoins (like USDC, CADC, EURS, XSGD, etc) using real-world FX price feeds.

To know more about it click here.

Vulnerability Analysis & Impact:

The attacker circumvented DFX Finance’s flash-loan checks by borrowing stablecoins and depositing them back into the liquidity pools.
Due to the flaw, the contract believed that the flash loan has been repaid and It still owes the attacker the sum deposited.

Here is a basic overview of the attack and how it was executed:

On-Chain Details:

Attack Txn: 0x390def749b71f516d8bf4329a4cb07bb3568a3627c25e607556621182a17f1f9

Attacker’s Address: 0x14c19962e4a899f29b3dd9ff52ebfb5e4cb9a067

Attacker Contract: 0x6cfa86a352339e766ff1ca119c8c40824f41f22d

The Attack:

  1. The attacker funded 0.16 ETH from Tornado Cash to 0x8d034 address and then sent it to the 0x14c199 address from where he created a contract for the attack.

2. The attacker called the flash function and took a flash loan from the contract.

3. Next, the attacker deposits the flash loan amount to the contract by calling the deposit function. In the contract, When the attacker deposits the flash loan amount, the contract assumes that the attacker repaid the flash loan and now the contract owes the attacker the deposited amount.

4. Finally, the attacker called withdraw function to withdraw the LP tokens which he received for depositing tokens. He took multiple flash loans and made a profit of around $4.3 Million.

A twist in the plot:

An MEV bot front-runned the attacker’s transactions and extracted around 3.2 Million from the transaction. DFX Finance requested the bot owner to return funds to them.

After the Exploit:

The DFX Finance team acknowledged the security flaw and declared that all of its smart contracts have been put on hold in order to address the problem.

Status of Funds:

Hacker transferred the majority of the funds through tornado cash.

And Currently, the Hacker’s address holds around $544,077 (at the time of writing this blog)

How the attack could have been mitigated:

The attack could have been mitigated by adding nonReentrant modifier to the flash function.

Reference:

https://twitter.com/DFXFinance/status/1590858722728972289

Web3 security- Need of the hour

Why QuillAudits for Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

- Affiliate program ( Refer and secure web3 )

- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )

- Join Ambassdor program

--

--