In November 2022, the DFX Finance decentralized exchange for stablecoins was the victim of an attack. Two attackers, one of whom was a frontrunning bot, stole a total of $7.5 million in tokens from the DEX.
Inside the Attack
The DFX Finance attacker exploited vulnerabilities in the smart contract’s flashloan functionality. With a flashloan, a user can take out a loan, perform some actions with it, and repays the loan before the end of the transaction.
In this case, the flash function in the DFX smart contract lacked reentrancy protection. The attacker was able to take out a flashloan and deposit that loan back into the contract. Since the contract’s balance is the same as it was before the loan, it believes that the loan has been repaid.
However, the contract has also recorded the deposit and that it owes the attacker the deposited amount. As a result, the attacker can then withdraw their deposit, draining value from the contract.
This vulnerability was exploited twice by different parties. The original attacker stole approximately $4.3 million in tokens, and an MEV bot stole the other $3.2 million from the protocol.
Lessons Learned From the Attack
DFX Finance’s smart contracts have undergone multiple security audits. The vulnerable code was added in V2 of the protocol, which was audited by PickAx. However, the reentrancy vulnerability was not discovered during the audit.
Reentrancy is a common and dangerous smart contract vulnerability. Learn more about protecting your smart contracts from re-entrancy attacks by reaching out to our Web3 security experts at halborn@protonmail.com.