Decentralized finance (DeFi) protocol Dough Finance has lost $1.8 million in digital assets due to a flash loan attack.
Web3 security firm Cyvers detected the attack on July 12, the company said in a post on X.
Cyvers said that the firm reached out to lending protocol Aave to investigate potential impacts on its pools upon detecting multiple suspicious transactions.
“After communicating with the AAVE team, we can confirm that AAVE pools are NOT affected,” it wrote.
The attacker used the zero-knowledge (ZK) protocol Railgun to execute the attack by swapping the stolen USD Coin for Ether, accumulating a total of 608 ETH valued at around $1.8 million.
Further analysis by Web3 security provider Olympix revealed that the exploit was a result of unvalidated calldata in the “ConnectorDeleverageParaswap” contract.
Olympix explained that the contract failed to properly check the received data during flash loan calls, allowing the attacker to manipulate it to their advantage and carry out the funds’ theft.
While the hack primarily affected users who deposited funds into the exploited contract of Dough Finance, Olympix clarified that the incident did not impact Aave pools.
To mitigate risks, the security provider advised affected users to withdraw their funds to a secure wallet and to refrain from interacting with the protocol until the situation is resolved.
Read more on cryptonews.com