DFX Finance, a stablecoin trading platform backed by Polychain Capital and True Ventures has confirmed which has been hacked for $7.5 million.

The trading platform said that the exploit started around 7:21 pm UTC on Thursday and that it was notified about the exploits between 20 and 30 minutes after the first transaction was initiated.

DFX Finance said it took a proactive stance to stop its smart contract operations to contain the attack. Due to his intervention, the hacked protocol said that the attacker was unable to move all the stolen funds as an MEV bot intercepted up to $3.2 million of the funds.

However, the hacker got away with some funds that were sent to Tornado Cash, the cryptocurrency mixing service that was sanctioned by the US Treasury Department. The DFX Finance attacker was able to obtain the funds based on a vulnerability in their flash loan protocol.

As BlockSec researchers detailed, the attacker borrowed funds from DFX Finance on the Ethereum blockchain and immediately deposited the funds using an “insecure callback function.” This tricked the protocol into thinking the funds had been paid out when in fact they hadn’t.

“When a user borrows money, the protocol should not allow any function calls that could change the balance of the DFX protocol,” BlockSec CEO Yajin Zhou told The Block.

The attacker managed to take 2,963 ETH (worth approximately $3.8 million) and about $500,000. DFX Finance said that its Polygon group was not affected, however, the protocol said that once it opened withdrawals, everyone should try to take advantage of the allocation to get their funds out.

For the umpteenth time, a DeFi protocol has been hacked again, underscoring the call for caution among investors and proper security provisions across the board.

Image Source: Shutterstock