DFXFinance was hacked for US$4 Million on 10th November 2022
According to Numen’s on-chain monitoring, on 2022–11–10 at 19:21:59 (UTC), DFXFinance was attacked. The specific transaction tx is as follows:
The attacker first called the viewDeposit function of the usdc-xidr pair contract, which takes one argument indicating the number of lptoken and returns an array of 2 indicating how many usdc and xidr are needed.
The attacker attains this information and starts calling the flash function of the pair contract.
The attacker’s input data is seen in the following figure:
Since the project’s side provides the flashloan function, the attacker borrowed a sufficient amount of usdc and xidr by calling the flash function of DFX (the specific amount is obtained through the viewDeposit above). Then the attacker’s flashloan callback calls the deposit function to redeposit the borrowed usdc and xidr into the transaction pair contract.
The deposit function calls the function ProportionalLiquidity.proportionalDeposit, which deposits the attacker’s borrowed money into the transaction pair contract and casts lptoken for the attacker.
Because the flashloan borrowed money goes back into the transaction pair contract (in the flashloan callback in the form of a deposit ), it passes the judgment whjen checking the balance of the transaction pair contract in the flashloan function.
The following figure shows the balance check of flashloan:
Lastly, the attacker calls the withdraw function, destroys the lptoken, and takes the usdc and xidr to complete the attack.
The attackers made away with a profit of approximately $4 million, essentially because DFX’s deposit function was not protected from re-entrancy attacks.
Numen Cyber Labs recommends that projects such as these should pay heed to the various vulnerabilities that a smart contract is susceptible to, and conduct the necessary security audits in order to mitigate the risk or attacks.
Numen Cyber Labs is committed to facilitating the safe development of Web3.0. We are dedicated to the security of the Web3 ecosystem, as well as operating systems/browser security/mobile security, and regularly cover developments such as these, so stay tuned for more.