/crypto
sordum
·
2 years ago
Polychain-backed DFX Finance hacked for $7.5 million
A hacker siphoned over $7.5 million from stablecoin exchange DFX Finance.
The attacker took advantage of an insecure flash-loan mechanism.
DFX Finance, a decentralized exchange protocol for fiat-pegged stablecoins, reported that it was attacked at 2:21 pm ET. An unknown attacker siphoned approximately $7.5 million from DFX, according to estimates from security researchers at BlockSec.
The DFX Finance team acknowledged the security exploit and said it has paused all of its smart contracts to contain the issue. “We were notified of the suspicious activity within 20-30 mins of the first transaction and executed a pause on all DFX contracts within a few minutes after confirming the attack,” it said.
The incident appears to be a flash-loan-enabled attack that let the hacker make a malicious withdrawal from DFX. Of the $7.5 million in stolen assets, the attacker could only transfer $4.3 million worth of assets into their wallet — including 2963 ether ($3.8 million) and some $500,000 in stablecoins.
The remaining portion of the stolen assets — about $3.2 million — was extracted by an MEV bot in a front-running transaction, also called a sandwich attack. The bot-extracted funds sit in an address controlled by the bot operator and can be recovered if the operator is willing. DFX Finance has already asked the operator to return them.
The attacker took advantage of an insecure flash-loan mechanism offered by DFX Finance on the Ethereum blockchain. A flash loan is a feature in which a large amount of cryptocurrency can be borrowed with no collateral, only if those funds are returned in the same transaction.
During the attack, the attacker borrowed stablecoins within DFX Finance and then deposited them back into DFX’s liquidity pools with an “insecure callback function” that bypassed its flash-loan checks. After the flash loan, the attacker still had liquidity pool tokens in possession, which they sold off. 
Source:
1 comment