Decentralized finance (DeFi) protocol Dough Finance lost $1.8 million in digital assets after a flash loan attack on the protocol. 

On July 12, Web3 security firm Cyvers flagged that they had detected multiple suspicious transactions. The company communicated with lending protocol Aave to check if pools were affected. However, the security firm confirmed that pools within Aave were safe.

Despite this, Dough Finance suffered the brunt of the attack. According to Cyvers, the attacker was funded through the zero-knowledge (ZK) protocol Railgun and swapped the stolen USD Coin ( USDC ) for Ether ( ETH ). The attacker got a total of 608 ETH, worth about $1.8 million.

Hacker manipulates smart contract

Web3 security provider Olympix highlighted that the exploit was due to unvalidated calldata within the "ConnectorDeleverageParaswap" contract. The firm explained:

“The contract didn't properly check the data it received during flash loan calls, allowing the attacker to manipulate it for their benefit.”

Because of this, the attacker was able to manipulate the data and steal the funds.

Olympix said those who deposited funds in the DeFi protocol’s exploited contract might be impacted. However, the security provider noted that the hack did not impact Aave pools.

The security provider also advised Dough Finance users to consider withdrawing their funds to a secure wallet. Furthermore, they urged users to monitor announcements from the Dough Finance team and avoid interacting with the protocol until the situation is resolved.

Related: Pancake Bunny hacker siphons $2.9M of Ether through Tornado Cash

Over $1 billion lost to security incidents in 2024

While the Dough Finance hack losses only amounted to almost $2 million, the rest of the crypto space had already lost more than $1 billion in digital assets because of various incidents within the space.

On July 3, blockchain security company CertiK published its security report, highlighting that losses on onchain incidents already reached $1.19 billion in the first half of 2024. Most of the losses were attributed to phishing attacks and private key compromises.

According to CertiK, the space lost almost $500 million to phishing attacks, while private key compromises resulted in almost $409 million in losses.

CertiK co-founder Ronghui Gu highlighted the urgent need to implement multifactor authentication methods, such as two-factor authentication (2FA) and security keys.

Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis