Dough Finance flash loan attack: What we know so far

Dough Finance lost $1.8M in a flash loan attack due to smart contract vulnerability.
Attacker exploited unvalidated calldata stealing USDC before converting the assets into 608 ETH.
Users urged to withdraw funds to secure wallets.

Dough Finance has fallen victim to a significant flash loan attack, resulting in a staggering loss of digital assets worth approximately $1.8 million.

The attack, which exploited vulnerabilities in the protocol’s smart contract, highlights ongoing security challenges within the cryptocurrency space, and specifically within the DeFi space.

What happed in the Dough Finance attack?

The attack, detected on July 12 by Web3 security firm Cyvers, targeted Dough Finance’s “ConnectorDeleverageParaswap” smart contract.

This contract, designed to facilitate transactions within the DeFi platform, failed to adequately validate call data during flash loan executions giving the attacker a chance to manipulate transaction details and illegally transfer of 608 Ether (ETH), valued at approximately $1.8 million at the time of the attack.

The funds, originally in the form of USD Coin (USDC), were swiftly converted into ETH using the zero-knowledge protocol Railgun, complicating efforts to trace and recover the stolen assets.

Who were affected by the flash loan attack?

The Dough Finance flash loan attack primarily affected users who had funds deposited in the exploited contract of Dough Finance.

While the lending pools of Aave, another prominent DeFi platform, remained unaffected, the incident underscores the vulnerability of smart contracts and the potential risks associated with decentralized finance protocols.

Security experts, including Olympix, emphasized the importance of users withdrawing their funds to secure wallets and refraining from interacting with Dough Finance until the platform issues clear guidance on safety measures.

🚨🚨#OlympixAlert

Attention @DoughFina Users: Exploit Alert!

Dough finance has been exploited for roughly ~$1.8 million in USDC! Here’s a breakdown of the situation based on available information:

❓What Happened?

The exploit stemmed from unvalidated calldata within the… pic.twitter.com/NBcCwsMl10

— Olympix (@Olympix_ai) July 12, 2024

Remarkably, the attack on Dough Finance adds to a concerning trend of security breaches plaguing the cryptocurrency industry in 2024.

According to a recent report by CertiK, on-chain attack incidents have already led to losses exceeding $1.19 billion in the first half of the year, with phishing attacks and private key compromises contributing significantly to these figures.