Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Instant loans caused the attack.
De-Fi protocol Dough Finance lost almost $2 million worth of cryptocurrency after an attack on the protocol using instant loans. Flash loan allows the user to receive large amounts of loans, provided that they are repaid in a single transaction.
The Peckshield service was the first to pay attention to the incident. The attack was funded through the zero-knowledge protocol (ZK) Railgun, and money laundering took place through Tornado Cash. These services are often used by hackers to hide their tracks. Dough Finance acknowledged the fact of hacking a few hours after the incident.
According to Cyvers, the attacker exchanged the stolen USDC token ($1) for Ethereum (ETH = $3109). As a result, the hacker received 608 ETH worth about $1.9 million. It is noteworthy that the malicious contract was created less than 2 minutes before the transaction was hacked.
The information security company Olympix emphasized that the exploit was caused by unverified callback data in the "ConnectorDeleverageParaswap" contract. The contract did not properly verify the data obtained during instant loan calls, which allowed an attacker to manipulate the data and steal funds.
According to Olympix, those users who contributed funds to the operated contract may be affected. However, the hack did not affect Aave pools. Olympix also advised Dough Finance users to consider withdrawing funds to a secure wallet. In addition, users are strongly encouraged to follow announcements from the Dough Finance team and avoid interacting with the protocol until the situation is resolved.
Dough Finance reported that it is actively working to recover lost funds and create a fund to help affected users.
Source
De-Fi protocol Dough Finance lost almost $2 million worth of cryptocurrency after an attack on the protocol using instant loans. Flash loan allows the user to receive large amounts of loans, provided that they are repaid in a single transaction.
The Peckshield service was the first to pay attention to the incident. The attack was funded through the zero-knowledge protocol (ZK) Railgun, and money laundering took place through Tornado Cash. These services are often used by hackers to hide their tracks. Dough Finance acknowledged the fact of hacking a few hours after the incident.
According to Cyvers, the attacker exchanged the stolen USDC token ($1) for Ethereum (ETH = $3109). As a result, the hacker received 608 ETH worth about $1.9 million. It is noteworthy that the malicious contract was created less than 2 minutes before the transaction was hacked.
The information security company Olympix emphasized that the exploit was caused by unverified callback data in the "ConnectorDeleverageParaswap" contract. The contract did not properly verify the data obtained during instant loan calls, which allowed an attacker to manipulate the data and steal funds.
According to Olympix, those users who contributed funds to the operated contract may be affected. However, the hack did not affect Aave pools. Olympix also advised Dough Finance users to consider withdrawing funds to a secure wallet. In addition, users are strongly encouraged to follow announcements from the Dough Finance team and avoid interacting with the protocol until the situation is resolved.
Dough Finance reported that it is actively working to recover lost funds and create a fund to help affected users.
Source
