Decoding DFX Finance Exploit | QuillAudits


Introduction to DFX Finance:

To know more about it click here.

Vulnerability Analysis & Impact:

Here is a basic overview of the attack and how it was executed:

On-Chain Details:

Attacker’s Address: 0x14c19962e4a899f29b3dd9ff52ebfb5e4cb9a067

Attacker Contract: 0x6cfa86a352339e766ff1ca119c8c40824f41f22d

The Attack:

  1. The attacker funded 0.16 ETH from Tornado Cash to 0x8d034 address and then sent it to the 0x14c199 address from where he created a contract for the attack.

2. The attacker called the flash function and took a flash loan from the contract.

3. Next, the attacker deposits the flash loan amount to the contract by calling the deposit function. In the contract, When the attacker deposits the flash loan amount, the contract assumes that the attacker repaid the flash loan and now the contract owes the attacker the deposited amount.

4. Finally, the attacker called withdraw function to withdraw the LP tokens which he received for depositing tokens. He took multiple flash loans and made a profit of around $4.3 Million.

A twist in the plot:

An MEV bot front-runned the attacker’s transactions and extracted around 3.2 Million from the transaction. DFX Finance requested the bot owner to return funds to them.

After the Exploit:

Status of Funds:

And Currently, the Hacker’s address holds around $544,077 (at the time of writing this blog)

How the attack could have been mitigated:


Web3 security- Need of the hour

Want more Such Security Blogs & Reports?

Partner with QuillAudits :

- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )

- Join Ambassdor program



Smart Contract Auditing Experts , Making web3 a safer place .

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store