Polychain-backed DFX Finance Hacked for $7.5 million

DFX Finance Recognized the Breach

The DFX Finance team recognized the security vulnerability and declared that all of its smart contracts have been put on hold to address the problem. The statement by DFX Finance read that it was aware of the suspicious behavior about 20 to 30 minutes after the system was hacked and initiated a suspension on all DFX agreements within a few minutes after verifying the attack.

The event appeared to be a flash-loan-enabled operation that allowed the hacker to take money from the decentralized exchange mechanism for stablecoins for destructive purposes. Only $4.3 million of the $7.5 million in stolen funds could be transferred by the hacker into their wallet, comprising $500,000 in stablecoins and 2963 ether ($3.8 million).

Withdrawal of Stolen Funds

The attacker gained control of a vulnerable flash-loan system that DFX Finance was providing on the Ethereum network. During the hack, the attacker acquired stablecoins from the decentralized exchange mechanism for stablecoins and used an insecure callback function to transfer them into DFX's liquidity pools without going through the flash-loan checks. The perpetrator still held tokens for the liquidity pool after the flash loan, which they sold.

An MEV bot withdrew the other $3.2 million of the stolen funds using a front-running operation, often known as a sandwich assault. If the bot operator is agreeable, the monies that the bot took are located at an address under their control. The operator has previously been requested to restore them by DFX Finance.