DForce Network Reentrancy Vulnerability
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
dForce is a decentralized financial network that provides a complete set of DeFi protocols covering assets, lending, and trading. Its protocols are deployed on several blockchains, including Ethereum, Binance Smart Chain, Polygon, and KAVA. The reentrancy vulnerability in Curve has been well-known, and the same vulnerability was exploited in an attack that netted $1.9M on Arbitrum and $1.7M on Optimism against DForce. The attack involved flash loaned funds being deposited into Curve's wstETH/ETH and then into dForce's wstETHCRV-gauge vault. The attacker then used the remove_liquidity function to manipulate the virtual price, which dForce uses as an oracle for the wstETHCRV-gauge tokens. dForce confirmed the incident, paused all vaults, and later announced that users' funds supplied to dForce Lending and other vaults were safe. The good news is that the exploiter returned all funds to dForce multisigs a few days later.
About DForce Network
dForce is a decentralized financial network that provides a complete set of DeFi protocols covering assets, lending, and trading. Its protocols are deployed on several blockchains, including Ethereum, Binance Smart Chain, Polygon, and KAVA. USX is dForce's over-collateralized stablecoin that implements multiple minting modules and a hybrid interest policy to efficiently improve liquidity on the secondary market. The DF token is used for network governance and DF holders can stake their tokens to earn fee income, inflationary rewards, and ecosystem airdrops. The network also provides PoS validation services and a decentralized lending and borrowing platform.
"dForce advocates for building a complete set of DeFi protocols covering assets, lending, and trading, serving as DeFi infrastructure in Web 3. dForce is currently deployed on Ethereum, Arbitrum, Optimism, Polygon, Binance Smart Chain (BSC), and KAVA."
"Peer-to-Peer & Decentralized Financial Network. Permission-less and open – everyone with internet access can participate. Non-custodial – minimal trust cost, users always have ownership over their crypto assets. Open-sourced – anyone can integrate with dForce and build your own product on top of our protocols. Decentralized – dForce (DF) token empowers the governance of the network."
"USX is an over-collateralized stablecoin implementing multiple minting modules including global-pool, vault, and LSR. USX's dollar peg is mainly dictated by a hybrid interest policy that can efficiently improves USX's liquidity on secondary market by adjusting its lending and borrowing rates on supported protocols. Powered by the LSR module, USX is also 1:1 tradable with other supported stablecoins directly through dForce Trade."
"DF Staking [is a] hybrid staking model for DF holders to capture fee income, inflationary rewards, and ecosystem airdrop across the network."
"PoS Staking [is p]roviding [a] validation service in PoS networks by participating in their governance and maintaining the security of the network, further aligning DeFi infrastructure with the broader blockchain ecosystem."
"Enabling decentralized lending and borrowing through smart contracts, automating the execution on the protocol."
"Peer-to-Peer marketplace with aggregated liquidity across different platforms with the best price."
"The vulnerability has been well-known for some time. According to ChainSecurity’s original report:
On April 14, we informed Curve and affected projects about a read-only reentrancy vulnerability in some Curve pools. More specifically, the value of function get_virtual_price can be manipulated by reentering it during the removal of liquidity.”
And Curve have provided a known workaround:
one can call any method which has the nonreentrant lock (removing 0 liquidity is probably the cheapest)."
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
|February 9th, 2023 4:10:22 PM MST||Arbitrum Attack Transaction||The attack transaction occurs on the arbitrum blockchain.|
|February 9th, 2023 4:11:02 PM MST||Attack Transaction||The attack transaction occurred on the optimism blockchain.|
|February 9th, 2023 7:59:00 PM MST||ZoomerAnon Twitter Post||The Twitter user ZoomerAnon posts a tweet about the optimism exploit. A response discussion mentions the arbitrum exploit as well.|
|February 9th, 2023 8:34:00 PM MST||PeckShield Notifies DForce Team||PeckShield posts a tweet to alert the DForce team that they should take a look at a suspicious transaction, referencing the arbitrum blockchain exploit transaction.|
|February 9th, 2023 9:25:00 PM MST||BlockSecTeam Technical Analysis||The BlockSecTeam publishes a technical analysis of the exploit on their Twitter.|
|February 9th, 2023 9:38:00 PM MST||Initial Twitter Announcement||The DForce team posts an initial announcement on Twitter about the exploit.|
|February 9th, 2023 10:02:00 PM MST||PeckShield Twitter Analysis||PeckShield posts an analysis of the exploit on Twitter including a full walkthrough of all the steps which were undertaken by the attacker.|
|February 12th, 2023 8:00:27 PM MST||Attacker Returns Funds||The actual blockchain transaction where the attacker returns the funds.|
|February 12th, 2023 10:29:00 PM MST||Announcement of Funds Returned||DForce Networks posts on Twitter to announce that the funds have been returned and they have agreed on a bounty for the exploit. The exploiter, who came forward as a whitehat, has agreed to a bounty, and the team will drop all on-going investigations and law enforcement actions. The team thanked their community, ecosystem partners, and friends for their support and committed to doubling down on expanding their bounty program to encourage more responsible hacking. They also shared a transaction confirming the return of the exploited funds.|
|February 13th, 2023 12:27:00 PM MST||RektHQ Publication||RektHQ publishes about the situation. They report that dForce Network suffered an attack on both Arbitrum and Optimism that exploited a common reentrancy vulnerability, resulting in a loss of $3.65 million. However, the exploiter returned all funds a few days later, and dForce confirmed that all impacted users will be made whole. The vulnerability, which is well-known, has affected other DeFi projects, including Midas Capital and Market.xyz. The attacker used flash loaned funds to deposit into Curve's wstETH/ETH and exploited the reentrancy vulnerability to manipulate the virtual price, resulting in profiting from the liquidation of other users using wstETHCRV-gauge as collateral. While Layer 2 networks have been enjoying a boom in adoption, increased usage also attracts malicious actors seeking to profit by any means necessary.|
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
"Shortly after 11pm Thursday night (UTC), an attack on two fronts exploited a common reentrancy vulnerability, netting $1.9M on Arbitrum and $1.7M on Optimism."
"The exploit used flash loaned funds to deposit into Curve’s wstETH/ETH, depositing the LP tokens into dForce’s wstETHCRV-gauge vault.
Upon calling the remove_liquidity function, the attacker’s contract exploited the reentrancy vulnerability to manipulate the virtual price, which dForce uses as an oracle for the wstETHCRV-gauge tokens."
BlockSec Technical Analysis
1/ @dForcenet attacked in both @arbitrum and @optimismFND. The root cause is the well-known read-only reentrancy in the curve pool.
2/ The price oracle used by dForce's lending protocol can be manipulated by the attacker. After that, the attacker can liquidate positions at a biased price to make profits. The loss is around 1.91 M in @arbitrum and 1.73M in @optimismFND.
3/ Attack transactions are below.
PeckShield Technical Analysis
1/ @dForcenet was exploited in a flurry of txs on Arbitrum & Optimism leading to the total gain of ~$3.65m for the exploiter.
2/ The hack is made possible due to the price manipulation of the @dForcenet wstETHCRV-gauge asset via reentrancy (via wstETHCRV.remove_liquidity), so that the exploiter can liquidate a number of positions w/ the wstETHCRV-guage as collateral.
3/ To illustrate, we use the above tx to show the key steps:
1. Flashloan 68,429 ETH and get 65,343 wstETHCRV
2. Transfer 1,904 wstETHCRV to the attacker contract
3. Deposit 1,904 wstETHCRV and recieve 1,904 wstETHCRV-gauge
4. Borrow 2,080,000 USX from 0xc462
5. Remove liquidity of 63,438 wstETHCRV, while getting 62,125 ETH, reentry
to manipulate the price of wstETHCRV from $1562 to $314, thus liquidate
the borrower collateral wstETHCRV.
6. Remove liquidity of 2,924 wstETHCRV to get 2863 ETH
7. Exchange 3806 wstETH to 4458 ETH
8. Deposit 69447 ETH, repay flashloan and profit 1236 ETH
4/ The initial fund (0.99ETH) is withdrawn from @RAILGUN_Project and was transferred to Optimism and Arbitrum through @SynapseNetwork_. Currently the 2.3K ETHs (around $3.65M) of the illicit gains still stay in the hacker’s account.
Total Amount Lost
The total amount lost has been estimated at $3,850,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
DForce Initial Twitter Announcement
DForce posted an immediate announcement about the exploit on Twitter.
wstETH/ETH Curve gauge vaults on Arbitrum & Optimism were exploited a few hours ago, and we immediately paused the dForce Vaults - other parts of the protocol remain intact and user funds are SAFE with dForce Lending. We will come back with a detailed report and remedies soon.
The following day, they submitted an extended announcement.
"The alarm was raised a few hours later, and dForce confirmed the incident after a further 90 minutes. The team then expanded on their original announcement, stating that they had pause all vaults and adding: Users' funds supplied to dForce Lending and other vaults are SAFE."
Criticism Of Bug Bounty Program
A cautionary tale in why having a low bug bounty offering that is paid in their own DF token is not enough of an incentive for a blackhat to turn whitehat relative to the TVL of the protocol which is $40M+
Maybe consider increasing your bug bounty reward amount and paying it out in a stablecoin like USDC rather than your own DF token. That will encourage more whitehat behavior.
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
"Good news came a few days later, when the exploiter returned all funds to dForce multisigs."
Attacker Returns The Funds
DForce announced that the exploiter had come forward and returned the funds.
1/5 On Feb 13, 2023, the exploited funds were fully returned to our multi-sig on both Arbitrum and Optimism, a perfect ending for all. All impacted users will be made whole, we will announce the details for distribution of the funds over the next few days.
2/5 Shortly after the incident, we entered into conversations with the exploiter, who came forward as a whitehat. We have agreed to offer a bounty and will drop all on-going investigation and law enforcement actions.
3/5 We would like to thank our community, ecosystem partners and friends for their supports, particularly, SlowMist
@SlowMist_Team for assisting in our investigation, and @samczsun and @tzhen for reaching out to offer help.
4/5 Security is the only thing that keeps us awake and it's a never-ending exercise. We have spent >$3m on security audits, bounty programs over the past few years, and are committed to doubling down on expanding our bounty program to encourage more responsible hacking.
5/5 Exploited fund return tx.
Total Amount Recovered
The attacker ultimately came forward and returned the funds.
TBD - How were these distributed?
There do not appear to be any remaining developments in this situation.
Individual Prevention Policies
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
- dForce (May 3, 2023)
- GETTING STARTED - dForce (May 3, 2023)
- USX - dForce (May 3, 2023)
- Curve LP Oracle Manipulation: Post Mortem - Chainsecurity (May 3, 2023)
- Arbitrum Attack Transaction - Phalcon Block Explorer (May 30, 2023)
- Optimistic L2 Exploit Transaction - Optimism (May 3, 2023)
- dForcenet Exploiter Address - Optimism (May 3, 2023)
- ZoomerAnon - "Looks like $1.7m+ @dForcenet flash loan exploit... Anyone else see this? No info in Discord or elsewhere" - Twitter (May 30, 2023)
- mbaril010.eth - "Did you saw that tx too:" - Twitter (May 30, 2023)
- PeckShield - "Hi @dForcenet, you may want to take a look" - Twitter (May 30, 2023)
- BlockSecTeam - "@dForcenet attacked in both @arbitrum and @optimismFND. The root cause is the well-known read-only reentrancy in the curve pool." - Twitter (May 30, 2023)
- DForce - "wstETH/ETH Curve gauge vaults on Arbitrum & Optimism were exploited a few hours ago, and we immediately paused the dForce Vaults - other parts of the protocol remain intact and user funds are SAFE with dForce Lending. We will come back with a detailed report and remedies soon." - Twitter (May 30, 2023)
- PeckShield - "@dForcenet was exploited in a flurry of txs on Arbitrum & Optimism leading to the total gain of ~$3.65m for the exploiter." - Twitter (May 30, 2023)
- Attacker Returns The Funds - Arbiscan (May 3, 2023)
- dForcenet - "On Feb 13, 2023, the exploited funds were fully returned to our multi-sig on both Arbitrum and Optimism, a perfect ending for all." - Twitter (May 3, 2023)
- RektHQ - "The attack came on both Arbitrum and Optimism, via a common reentrancy vulnerability." - Twitter (May 3, 2023)
- Rekt - dForce Network - REKT (May 3, 2023)
- web3maker.eth - "A cautionary tale in why having a low bug bounty offering that is paid in their own DF token is not enough of an incentive for a blackhat to turn whitehat relative to the TVL of the protocol which is $40M+" - Twitter (May 30, 2023)
- web3maker.eth - "Maybe consider increasing your bug bounty reward amount and paying it out in a stablecoin like USDC rather than your own DF token. That will encourage more whitehat behavior." - Twitter (May 30, 2023)