In a combined flash loan and malicious contract attack, decentralized exchange DODO lost nearly $3,8 million from 4 of its liquidity pools. So far, $1,89 million of stolen funds have been recovered.
The number of protocols DeFi vulnerable by flash loan attacks increases almost every week. Now, the decentralized exchange protocol (DEX) DODO joins the list of those who have already been victims of this type of attack; one already very popular and well-known in decentralized systems.
As the project developers explain, the protocol was deceived by a hacker, who found a bug in the smart contract and took advantage of it to introduce a malicious contract containing fake tokens, which were used to request flash loans within the protocol, and with the which were able to extract real tokens from 4 of their liquidity pools. After authoring the funds, DODO reported that losses amount to 3,8 million dollars. The stolen funds were extracted from liquidity pools belonging to DODO V2 Crowdpools, specifically WSZO, WCRES, ETHA and FUSI; although the funds deposited in the rest of the pools, including those in V1, are intact and now remain safe.
DODO allows market markers to deposit funds within liquidity pools, so that market operators can buy and sell tokens from these pools. This DEX ranks as the nineth Largest DEX on the market by liquidity or Total Locked Value, with about 39 million dollars deposited. On the other hand, DODO is a protocol that currently runs on the blockchain de Ethereum and also in the BSC (Binance Smart Chain).
It may interest you: New attack on DeFi leaves Alpha Finance with a loss of $37 million
Attack details
According to investigations, the attack was carried out by two individuals: a bot and a hacker. The hacker withdrew money in ETH from a centralized exchange and then executed 7 withdrawal transactions consecutively where he extracted value in the stablecoins BUSD and USDT.
At least 50% of the funds
In their statement, the project developers stated that they expect the hacker to return at least 50% of the stolen funds; that is, about 1,88 million dollars. This is because the person who carried out the attack has already contacted the work team, and agreed to return the money extracted from DODO, so the developers expect it to be at least 50%.
At the time of writing this article, the hacker has indeed returned some of the stolen money. The DODO developers announced that they have already returned $1,89 million, and that the necessary mechanisms are being implemented to return these funds to their owners affected by the attack.
DeFi still experimental and vulnerable
The constant attacks and exploits that occur within decentralized finance ecosystems demonstrate that, despite the disruptive potential of these ecosystems, developers have a long way to go to guarantee absolute security and trust for users and their funds.
So far this year, several DeFi protocols have been victims of vulnerabilities and exploits, almost all related to flash loan attacks, which seems to be the preferred method for cybercriminals to get hold of much of the money deposited within these protocols.
At the beginning of the month, furucombo lost nearly $15 million as a result of an exploit caused by a malicious contract. At the time of this note, the Furucombo developers reported that they will issue iouCOMBO tokens to compensate the losses of affected users. Likewise, in the month of February, the DeFi project, Alpha Finance, lost about 37 million dollars, and Sushi Swap, one of the most popular DEXs in the industry, managed to stop an attack in time, and only lost about $15.000; Part of these funds were given to the hacker as a reward for discovering the vulnerability in SushiSwap.
Continue reading: Another DeFi exploit takes $15 million haul from Furucombo protocol
