The attacker exploited unvalidated calldata, resulting in 608 ETH being stolen.
Decentralized finance (DeFi) protocol Dough Finance lost $1.8 million in digital assets after a flash loan attack on the protocol.
On July 12, Web3 security firm Cyvers flagged that they had detected multiple suspicious transactions. The company communicated with lending protocol Aave to check if pools were affected. However, the security firm confirmed that pools within Aave were safe.
Despite this, Dough Finance suffered the brunt of the attack. According to Cyvers, the attacker was funded through the zero-knowledge (ZK) protocol Railgun and swapped the stolen USD Coin (USDC) for Ether (ETH). The attacker got a total of 608 ETH, worth about $1.8 million.
