The Dolomite crypto exchange experienced a significant loss of approximately $1.8 million due to an exploit targeting an old contract, as reported by CertiK. This exploit impacted users who had previously authorized approvals to the exploited contract, prompting the development team to recommend revoking approvals to the Ethereum Dolomite address. Despite the exploit, users who solely interacted with the current version on Arbitrum are believed to be unaffected, with the development team taking measures to protect those who have not yet fallen victim to the attack.
Originally launched on Ethereum in 2019, Dolomite has since migrated to the Arbitrum network, gradually phasing out support for the Ethereum version. However, due to the immutable nature of smart contracts, users can still interact with its Ethereum version using developer tools, posing ongoing risks. The exploit targeted a function named “callFunction,” guarded by a “noEntry” modifier intended to prevent reentrancy attacks, but was bypassed by the TradeManager contract located at 0xe2466, allowing the attacker to drain funds from users, as claimed by CertiK.
The attacker transferred the stolen funds to address 0x5eAA7DadA44d59549A6c58008b2bd3C7F81d2502 and deposited them into Tornado cash, further complicating efforts to trace and recover the stolen funds. This exploit is part of a series of incidents occurring in March within the crypto space, including losses suffered by the Unizen protocol and Mozaic Finance, highlighting ongoing security challenges. While the development team has disabled the faulty contract and advised users to revoke approvals, these incidents underscore the importance of robust security measures and constant vigilance in the decentralized finance sector.
