Dough Finance loses $1.8 million in digital assets after flash loan attack

Decentralized finance (DeFi) protocol Dough Finance has lost $1.8 million worth of digital assets in a flash loan attack. On July 12, Web3 security firm Cyvers reported that they had detected multiple suspicious transactions.

The company contacted credit protocol Aave to check if their pools were affected. However, Cyvers confirmed that the pools within Aave were safe.

Dough Finance biggest victim

However, Dough Finance has become the biggest victim of the attack. According to Cyvers, the attacker was funded via the zero-knowledge (ZK) protocol Railgun and exchanged the stolen USD Coin for Ethereum. In total, the attacker managed to steal 608 ETH, worth approximately $1.8 million.

Olympix, a web3 security provider, pointed out that the exploit was due to unvalidated call data within the “ConnectorDeleverageParaswap” contract. The company explained:

“The contract did not properly check the data it received during flash loan calls, allowing the attacker to manipulate it to his advantage.”

This in turn allowed the attacker to manipulate the data and steal the platform’s funds. Olympix subsequently warned that those who had deposited funds into Dough Finance’s exploited contract may have been affected. However, they stressed that the hack did not affect the Aave pools.

Considering withdrawing funds to secure wallet

The security provider also advised Dough Finance users to consider withdrawing their funds to a secure wallet. They also urged users to monitor announcements from the Dough Finance team and avoid interacting with the protocol until the situation is resolved.

While losses from the Dough Finance hack amounted to nearly $2 million, the broader crypto space has already lost over $1 billion worth of digital assets through various incidents.

On July 3, blockchain security firm CertiK released its security report, highlighting that losses from onchain incidents in the first half of 2024 have already reached $1.19 billion. Most of the losses were attributed to phishing attacks and private key breaches.

According to CertiK, the crypto space lost nearly $500 million to phishing attacks, while private key compromises resulted in nearly $409 million in losses. CertiK co-founder Ronghui Gu stressed the urgent need to implement multi-factor authentication methods such as two-factor authentication (2FA) and security keys.