6 months ago
24 ARTICLE AD
Exploited contract loophole allows unauthorized asset transfers at Dolomite.
A security exploit in old smart contracts of the money market Dolomite resulted in a loss of approximately $1.8 million, blockchain security firm CertiK reported. The breach, which occurred on Mar. 20, involved an attacker manipulating a vulnerability in input validation to transfer funds from victims using the ‘transferFrom’ method. The drained funds were originally denominated in USD Coin (USDC) and were subsequently converted to Ether (ETH).
Dolomite’s team explained via an X post that only long-time users who interacted with its platform before 2020 were affected and a transaction has been submitted to disable the exploited contract from being called anymore.
The ”DolomiteMarginProtocol’, which retains the ability to transfer user assets, was at the center of the exploit. The attacker leveraged the fact that old users, known as ‘TraderDelegators’, had not revoked their approvals, allowing asset transfers to the DolomiteMarginProtocol address.
Moreover, the DolomiteMarginProtocol contract contains a ‘callFunction’ that permits arbitrary calls. This function is typically safeguarded by a ‘noEntry’ modifier, intended to be accessible only after a ‘singleEntry’ function is called.
However, the attacker circumvented this by interacting with the SoloMargin contract, which has a ‘call’ function that the attacker exploited to execute the desired operations and trigger ‘callFunction’ calls, thereby stealing assets from users who had approved the DolomiteMarginProtocol contract.
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
Crypto Briefing may augment articles with AI-generated content created by HAL, our proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
