Beosin: dForce was attacked because the Curve pool reentrancy vulnerability was exploited, which affected the price of the oracle

According to the Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring of the blockchain security audit company Beosin, the dForce contract was attacked on Optimism and Arbitrum respectively, with a total loss of about 3.7 million US dollars. According to the analysis of Beosin security technicians, the reason is that the re-entry vulnerability of the curve pool is used to affect the price of the oracle machine, and profits are obtained by lending loans that exceed the value of the collateral and liquidating positions when the price is manipulated. The attack transaction on Arbitrum earned 719,437 dForce USD (USX) and 1236 ETH (approximately $1.95 million). Ethereum is currently still on Arbitrum's address, and USX has been transferred to Optimism through a cross-chain bridge. The attack transaction on Optimism made a profit of 1.037 million USX, and finally all the USX was converted into 1110 Ethereum (about 1.75 million US dollars). Beosin Trace tracked and found that the stolen Ethereum is still on the Optimism address.