QI Quadriga Initiative

Jul 2024 - Dough Finance ConnectorDeleverageParaswap Vulnerability - $1.81m (Global)

Dough Finance is a DeFi protocol, and its DeFi Smart Account (DSA) integrates various DeFi services into an easy-to-use interface to help users manage their digital currency in an automated manner.

"According to Cyvers, the attacker was funded through the zero-knowledge (ZK) protocol Railgun and swapped the stolen USD Coin for Ether. The attacker got a total of 608 ETH, worth about $1.8 million."

"Web3 security provider Olympix highlighted that the exploit was due to unvalidated call data within the “ConnectorDeleverageParaswap” contract. The firm explained:

“The contract didn’t properly check the data it received during flash loan calls, allowing the attacker to manipulate it for their benefit.”
Because of this, the attacker was able to manipulate the data and steal the funds.

Olympix said those who deposited funds in the DeFi protocol’s exploited contract might be impacted. However, the security provider noted that the hack did not impact Aave pools."

"We detected potential suspicious activity related to @DoughFina. Loss $1.81M."

"Attention Dough Finance Users, We've identified an exploit: a few early Dough DeFi Smart Accounts (DSAs) were affected by a sophisticated exploit, resulting in unauthorized fund withdrawals."

"Update: We've recovered part of the stolen funds! These funds will go directly to the relief fund. Our team is working tirelessly with cybersecurity experts to recover the remaining assets. Thank you for your support and patience. #Recovery #DeFi"

Further Analysis

Dough Finance is a DeFi protocol integrating other DeFi services into an easy-to-use interface to help users automatically manage their cryptocurrency. Due to unvalidated call data in the “ConnectorDeleverageParaswap” function, $1.81m worth of assets were able to be drained from the Dough Finance smart contract. The smart contract has an ongoing effort to recover the funds, which has so far recovered only part of the funds for users.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

Ethena Finance Discord Server Account Compromise > > < < Unstoppable Domains SquareSpace DNS Hijacking

Sources/Further Reading

SlowMist Hacked - SlowMist Zone (Dec 31)
@SlowMist_Team Twitter (Dec 31)
ConnectorDeleverageParaswap | Address 0x9f54e8eaa9658316bb8006e03fff1cb191aafbe6 | Etherscan (Dec 31)
https://cointelegraph.com/news/dough-finance-loses-1-8m-flash-loan-attack (Dec 31)
https://www.rootdata.com/Projects/detail/Dough%20Finance (Dec 31)
@DoughFina Twitter (Dec 31)
@H4ckManac Twitter (Dec 31)
@Olympix_ai Twitter (Dec 31)
@EXVULSEC Twitter (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
@DoughFina Twitter (Dec 31)
@Olympix_ai Twitter (Dec 31)
@DoughFina Twitter (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.