Dough Finance Hit by $1.96 Million Exploit, User Funds at Risk!

Ugh, oh no! Dough Finance just got hit hard.

In a rather disheartening event for the community, Dough Finance has been drained for nearly $1.8  million in the USDC with subsequent attacks increasing the total loss to $1.96 million. The leakage has raised many users’ suspensions with their money and has made them doubt the safety of the service.

But wait, it gets worse… Want to know how they did it, and more importantly, how to protect your own funds? Keep reading for the chilling details and crucial steps you need to take.

Understanding the Cause

CertiK alerts have identified the root cause of the breach as a flaw in the ConnectorDeleverageParaswap contract. The issue stemmed from unvalidated calldata during flash loan calls, which allowed the attacker to manipulate the data to their advantage. Specifically, the contract failed to properly validate incoming data during these calls, giving the attacker the opportunity to exploit this vulnerability.

The attacker utilized Railgun to quickly convert the stolen USDC into ETH, complicating efforts to trace and recover the stolen funds. This swift conversion made it nearly impossible to track the assets and return them to their rightful owners.

Following the initial breach, the attacker struck Dough Finance once more, causing an additional loss of $140,498 and bringing the total damage to $1.96 million. The second attack exacerbated the situation, further undermining confidence in the platform’s security.

Who Was Affected?

Users with funds deposited in the compromised Dough Finance contracts are the most impacted by this breach. On the other hand, users associated with AAVE remain unaffected, as the attack was specific to Dough Finance contracts and did not involve any AAVE pools.

Recommended Actions for Users

Withdraw Funds Immediately: If you have funds in Dough Finance, transfer them to a secure wallet, particularly if they are in the affected contracts.

Stay Informed: Monitor updates from the Dough Finance team for further instructions and information on the breach.

Avoid Interaction: Do not engage with the Dough Finance protocol or any of its contracts until it is confirmed to be fully secure.

While the team behind Dough Finance is looking into the breach and is trying to mitigate damages, people are encouraged to get acquainted with the new information in the official media and protect their property from possible damage.

Read Also: Compound Labs Website Breach: Security Restored, Smart Contracts Safe

Flash loan, gone fast! Learn from Dough Finance’s misfortune and be proactive in protecting your crypto investments.