How an Approval Exploit Caused a $1.8M Loss for Old Dolomite Exchange Contract in the Web 3.0 Era

The Exploitation of a Dolomite Crypto Exchange Contract for $1.8 Million

An outdated contract used by the Dolomite crypto exchange has been abused, resulting in a loss of approximately $1.8 million, as reported by CertiK’s blockchain security platform on March 20. This exploit targeted users who had previously granted approvals to the contract and the development team has advised users to revoke approvals to the 0xe2466 Ethereum Dolomite address.

The team stated that only users who have interacted with the current version on Arbitrum should be affected. The faulty contract has been disabled, providing protection for those who have not yet fallen victim to the attack. Nevertheless, the team recommends that all users revoke approvals to this contract.

Dolomite is a decentralized exchange and money market protocol currently operating on Arbitrum and Polygon zkEVM. It was originally launched on Ethereum in 2019 and was later migrated to the Arbitrum network in 2022, gradually phasing out support for the Ethereum version. However, due to the immutable nature of smart contracts, users can still access the Ethereum version using developer tools.

According to CertiK’s report, the attacker exploited a function called “callFunction” which allows users to make arbitrary calls. This function is protected by a “noEntry” modifier, which should prevent reentrancy attacks. However, the TradeManager contract located at 0xe2466 can bypass this guard and contains a “call” function without a reentrancy guard, allowing the attacker to drain funds from users.

The hacker sent all of the stolen funds to the address 0x5eAA7DadA44d59549A6c58008b2bd3C7F81d2502 and subsequently deposited them into Tornado cash, according to Certik’s report.

This security breach is just one of several that have occurred in March. On March 11, the Unizen protocol on Ethereum lost over $2.1 million due to an approval exploit. The team behind the project has promised to reimburse affected users as soon as possible. On March 15, Mozaic Finance also suffered a loss of over $2.4 million due to a compromise of their private key.