DeFi Protocol Dough Finance Exploit Swipes $1.96 Million In User Funds

As a researcher with extensive experience in the DeFi space, I find it disheartening to see yet another protocol fall victim to an exploit. The recent incident at Dough Finance is particularly troubling, as it resulted in the loss of nearly $2 million worth of user funds.


On Friday morning, yet another Decentralized Finance (DeFi) platform, Dough Finance, succumbed to an exploit. This open-source initiative designed for creating non-custodial liquidity markets experienced a flash loan assault, resulting in the loss of approximately $2 million worth of user funds. The development team has acknowledged the incident and is actively working to rectify the situation as swiftly as possible.

Dough Finance Protocol Loses $1.96 Million

On July 12th, I came across disturbing news about Dough Finance while browsing online. The web3 blockchain security firm, Cyvers, alerted me that they had identified several questionable transactions linked to this DeFi protocol.

According to the findings of the report, a hacker managed to manipulate Dough Finance’s smart contract and made off with $1.8 million in USDC. The culprit behind this heist utilized the ZK protocol Railgun for financing, subsequently converting the stolen funds into Ethereum (ETH), yielding approximately 608 ETH in return.

According to Olympix, the Web3 security company, an exploit in a contract took place, specifically in the ConnectorDelegageParaswap contract. It appears that this contract failed to verify the data from flash loan calls thoroughly.

An unchecked calldata enabled an attacker to modify the contract’s information and transfer funds to an external account during the first wave of assaults. Subsequently, there were further instances of this exploit occurring.

DeFi Protocol Dough Finance Exploit Swipes $1.96 Million In User Funds

The recent cyber-attacks caused an additional loss of $141,000 in USDC, bringing the total stolen crypto funds up to $1.96 million. However, it’s worth noting that Aave’s lending pools were not impacted by these incidents.

Scammers Target DeFi Projects

Following the preliminary notifications, the DeFi protocol acknowledged the security breach and advised users to remove any remaining funds. Subsequently, Dough Finance disclosed that they had located and sealed the vulnerability.

As a crypto investor in Dough Finance, I’ve learned that some early Dough DeFi Smart Accounts (DSAs) have unfortunately fallen victim to a complex exploit. However, I want to reassure you all that Dough Finance’s dedicated team is working diligently to address this incident, recover the lost funds, and make things right for affected investors.

According to digital records, the team initiated contact with the exploiter via the blockchain. The Decentralized Finance (DeFi) platform notified the exploiter through a message on the platform that they had reported the incident to the relevant authorities.

DeFi Protocol Dough Finance Exploit Swipes $1.96 Million In User Funds

As an analyst, I would suggest paraphrasing it as follows: I can discuss a reward with the hacker if they’ve uncovered this vulnerability ethically, either as a “white hat” (ethical hacker) or a “grey hat” (hacker with good intentions but not always following the rules). The team has provided the transfer address for the funds.

By Monday, July 15, 2024, at 11:00 p.m. UTC, the individual taking advantage (exploiter) must get in touch with the DeFi protocol team. Failure to respond will be interpreted as an attempt to unlawfully seize the funds, and the team reserves the right to pursue criminal, legal, and administrative actions to recover the misappropriated assets.

Scammers have been actively exploiting the Decentralized Finance (DeFi) sector recently. For instance, this week, several DeFi projects such as Compound Finance fell victim to phishing attacks. It appears that these projects were susceptible to DNS domain spoofing, which redirected users unknowingly to fraudulent websites.

The copied website acted as a dangerous drain, potentially depleting users’ finances if engaged with. Consequently, the development teams advised against using the sites temporarily.

DeFi Protocol Dough Finance Exploit Swipes $1.96 Million In User Funds

Read More

2024-07-13 08:11