A hacker exploited vulnerabilities in Dolomite’s smart contracts, absconding with $1.8 million in USDC, prompting the exchange’s development team to issue mitigation measures.
Exploited Contract and Methodology
A recent report from blockchain security platform CertiK reveals a significant security breach within the Dolomite crypto exchange. An old contract, once utilized by Dolomite, became the gateway for a hacker to abscond with approximately $1.8 million worth of USD Coin (USDC).
Dolomite, a decentralized exchange and money market protocol, initially launched on Ethereum in 2019 before migrating to the Arbitrum network in 2022. Despite transitioning away from Ethereum, users can still access its Ethereum version utilizing developer tools owing to the immutable nature of smart contracts.
The fact that the hackers were able to gain access to the protocol and steal funds from the auditors despite precautionary measures is being considered a serious security concern.
Mechanism of Attack
The exploited contract, named ‘DolomiteMarginProtocol,’ harbored vulnerabilities stemming from permissions granted to the owner, predating its elimination in 2020. The assailant capitalized on a function termed “callFunction,” enabling arbitrary calls despite the presence of a “noEntry” modifier designed to thwart reentrancy attacks.
Despite the intended safeguarding through the “noEntry” modifier, the attacker circumvented restrictions by leveraging a function housed in a separate contract, ‘SoloMargin,’ effectively bypassing security measures.
This exploit allowed the attacker to siphon funds from users, with all pilfered assets eventually funneled into a certain wallet address and subsequently deposited into Tornado Cash.
Mitigation Measures and Recommendations
To reduce the damage, Dolomite’s development team advised users to revoke approvals to the Ethereum Dolomite address starting with 0xe2466, which was implicated in the breach. While users solely interacting with the current version on Arbitrum are deemed unaffected, the team has disabled the compromised contract as an added precaution. Nonetheless, users have been urged to revoke approvals to mitigate potential risks.
March’s String of Exploits
This incident adds to a series of breaches occurring in March within the crypto space. Notably, on March 11, the Unizen protocol on Ethereum suffered losses exceeding $2.1 million due to an approval exploit. Similarly, on March 15, Mozaic Finance lost over $2.4 million, which was attributed to a compromised private key.
Ultimately, the attack on Dolomite’s smart contracts highlights the ongoing risks decentralized platforms face. Therefore, with the industry fast evolving into a significant contender in the global economy, maintaining a high level of awareness and taking proactive steps is crucial to protecting user funds.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.