Millions lost after three DeFi protocols hacked in one weekend
The decentralized finance (DeFi) sector often proves to be a minefield for those seeking out the latest opportunities; a fact that was illustrated perfectly by a trio of incidents that occurred over the weekend.
Friday saw Ethereum-based lending platform Dough Finance lose almost $2 million to a series of flash loan-powered hacks. Peckshield raised the alarm before further attack transactions were identified by ExVul, bringing the total loss to $1.96 million.
Read more: CertiK returns funds on its own terms after hacking Kraken for $3M
The vulnerability was identified as a lack of validation of flash loan ‘callback’ data, according to crypto auditing firms Ancilia and CertiK. A flash loan allows a user to access vast amounts of crypto, provided the amount is paid back within the same transaction.
Peckshield followed the flow of funds, demonstrating the funding of the attack via Railgun and the laundering of funds via Tornado Cash after the event. Both Railgun and Tornado Cash are controversial privacy tools, often used by hackers to cover their tracks.
In what was the platform’s first post to X (formerly Twitter), Dough Finance acknowledged the hack a few hours later.
After a well-needed break on Saturday, Sunday saw two incidents that display the wide range of attack vectors faced by DeFi users.
First, the Discord server of Ethena, issuer of $3.4 billion ‘synthetic dollar’ USDe, was compromised. The breach led to a seemingly legitimate account posting the promise of ‘retroactive rewards’ for token holders while linking to a malicious URL.
Read more: Ethena offers 27% on stablecoins but where is the yield coming from?
The suspicious message was reported by ZachXBT via Telegram, and Ethena issued an official warning in a post on X shortly after, which has since been deleted.
The incident highlights the variety of dangers faced by DeFi users, which come not only from hacked ‘smart contracts’ holding their crypto, but also from insecurities in legacy web infrastructure, such as social media or the project’s websites themselves.
Read more: Compound Finance and Celer Network websites compromised in ‘front-end’ attacks
Last week, a web domain hijacking spree hit the sector, with Compound Finance, Celer Network, Pendle Finance, and (ironically) Unstoppable Domains among those hit.
To round out the weekend, another lending platform, Minterest, advised users that it had been exploited for $1.4 million on Sunday evening. The hack, which occurred on Ethereum-rollup Mantle, also appears to have been a flash loan attack, similar to that which hit Dough Finance on Friday.
Read more: Sifu’s UwU Lend reportedly hacked for $20M, Curve’s Egorov among affected
The attacker’s address was funded via Tornado Cash on Ethereum, suggesting that the Minterest team’s hopes that the hacker had ‘executed this exploit as a white hat’ may be short-lived.
It wasn’t all bad news, however. As noted by Cyvers, one phishing victim, who lost $32 million of Lido-staked ETH over a year ago, has begun to receive a refund.
After being contacted out of the blue via an on-chain message reading “i am the guy who took your money… i want to give the moneyback,” the victim has today confirmed receipt of over 10M DAI over the course of the past week.
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.