DFX Finance, a stablecoin trading platform that is backed by Polychain Capital and True Ventures has confirmed that it has been hacked for $7.5 million.
The trading platform said the exploit started around 7:21 PM UTC on Thursday and that it was notified of the exploits about 20 - 30 minutes after the first transaction was initiated.
DFX Finance said it took a proactive stance to halt the operations of its smart contracts in order to contain the attack. By reason of its intervention, the hacked protocol said the attacker was unable to move all of the stolen funds as an MEV bot intercepted as much as $3.2 million of the funds.
The hacker however bolted with some funds which were sent to Tornado Cash, the crypto-mixing service that was sanctioned by the United States Treasury Department. The DFX Finance attacker was able to get his hands on the funds based on a vulnerability in its flash loan protocol.
As detailed by BlockSec researchers, the attacker borrowed funds from DFX Finance on the Ethereum blockchain and immediately deposited the funds back using an “insecure callback function.” This tricked the protocol to think the funds have been paid when indeed they had not.
“When a user borrows money, the protocol should not allow any function calls that can change the balance of the DFX protocol,” BlockSec CEO Yajin Zhou told The Block.
The attacker succeeded in carting away 2,963 ETH (worth about $3.8 million) and some $500,000. DFX Finance said its Polygon pool was not impacted, however, the protocol said once it opened withdrawals, all should try to take advantage of the allowance to get out their funds.
For the umpteenth time, a DeFi protocol has been hacked again, underscoring the call for caution amongst investors and proper security provisions across the board.
Image source: Shutterstock