An old contract previously used by the Dolomite crypto exchange has been exploited for approximately $1.8 million, according to a March 20 report from blockchain security platform CertiK and seen by Cointelegraph. The exploit affected users who previously authorized approvals to the contract, and the development team recommended revoking approvals to the Ethereum Dolomite address that begins with 0xe2466.
The development team claimed that users who have only interacted with the current version on Arbitrum should not be affected. They have also disabled the faulty contract, which should protect users who have not yet become victims of the attack. Even so, the team argued that users should revoke approvals to this contract.
Dolomite is a decentralized exchange and money market protocol that currently runs on Arbitrum and Polygon zkEVM. It originally launched on Ethereum in 2019. The team migrated it to the Arbitrum network in 2022 and gradually phased out support for the Ethereum version. Because of the immutable nature of smart contracts, users can still interact with its Ethereum version using developer tools.
According to the CertiK report, the attacker exploited a function named “callFunction” that allows a user to make any arbitrary calls. This function is guarded by a “noEntry” modifier, which under normal circumstances, should prevent any reentrancy attacks. However, this guard can be bypassed by the TradeManager contract located at 0xe2466, which contains a “call” function that has no reentrancy guard. Thus, the attacker was able to use this contract to drain funds from users, CertiK claimed.
The attacker transferred all of the stolen funds to address 0x5eAA7DadA44d59549A6c58008b2bd3C7F81d2502 and then deposited them into Tornado cash, Certik stated.
Related: ParaSwap evades hack targeting Augustus v6 contract vulnerability
This exploit is one of several that have occurred in March. On March 11, the Unizen protocol on Ethereum lost over $2.1 million due to an approval exploit. In that case, the development team promised to reimburse users as soon as possible. On March 15, Mozaic Finance lost over $2.4 million due to a private key compromise.