An old contract previously utilized by the Dolomite cryptocurrency exchange has fallen victim to an exploit, resulting in approximately $1.8 million in losses, as reported by blockchain security platform CertiK on March 20. The exploit primarily impacted users who had previously granted approvals to the contract. In response, the development team advised users to revoke approvals linked to the Ethereum Dolomite address beginning with 0xe2466.
This impacts Dolomite's old contracts from 2019 on Ethereum Mainnet.
Token approvals should be revoked from 0xe2466deb9536a69bf8131ecd0c267ee41dd1cda0
Dolomite's current product on Arbitrum is fine and is completely unrelated to this issue.
More information below: https://t.co/utfUfxTpvL
— Dolomite 🏔️ (@Dolomite_io) March 20, 2024
The team assured that individuals who solely interacted with the current version on Arbitrum would likely remain unaffected. Additionally, they took action by disabling the flawed contract to safeguard users who had not yet been impacted by the attack. Despite these measures, the team urged users to revoke approvals associated with the compromised contract.
Dolomite functions as a decentralized exchange and money market protocol, presently operating on Arbitrum and Polygon zkEVM. Initially launched on Ethereum in 2019, the project transitioned to the Arbitrum network in 2022, gradually phasing out support for its Ethereum version. However, due to the immutable nature of smart contracts, users still retained the ability to interact with the Ethereum version via developer tools.
According to CertiK’s report, the attacker exploited a function named “callFunction,” allowing arbitrary calls by users. Although this function was intended to be safeguarded by a “noEntry” modifier to prevent reentrancy attacks, the attacker bypassed this safeguard by exploiting the TradeManager contract located at 0xe2466, which lacked a reentrancy guard on its “call” function. Consequently, the attacker successfully siphoned funds from users.
It appears that an old contract belonging to Dolomite Exchange have been exploited
In total, ~$1.8m has been stolen
Revoke approvals to 0xE2466deB9536A69BF8131Ecd0c267EE41dd1cdA0 pic.twitter.com/8tLuhKqDXn
— CertiK Alert (@CertiKAlert) March 20, 2024
The stolen funds were subsequently transferred to address 0x5eAA7DadA44d59549A6c58008b2bd3C7F81d2502 and deposited into Tornado Cash, as confirmed by CertiK.
This incident is one among several exploits occurring in March within the cryptocurrency space. Notably, the Unizen protocol on Ethereum experienced a $2.1 million loss on March 11 due to an approval exploit, with the development team committing to reimburse affected users promptly. Similarly, Mozaic Finance suffered a $2.4 million loss on March 15 due to a compromised private key.