Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
The DFX Finance project on the ETH chain was attacked, and the attackers made a profit of about $231,138. According to SlowMist analysis, the main reason for this attack is that the Curve contract flash loan function does not have re-entrancy protection, which causes the attack to re-enter the deposit function to transfer tokens to judge the balance of flash loan repayments. The account so that the attacker can successfully withdraw money to profit. Attack method (per SlowMist): Reentrancy Attack. Reported loss: $ 231,138.
- chain
- —
- protocol
- DFXFinance
- bug_class
- reentrancy
- date_occurred
- 2022-11-11
- loss_usd
- $231,138
- source_id
- sm:dfxfinance::2022-11-11