dForce Curve Read-Only Reentrancy

On February 10, 2023, the lending protocol dForce Network lost approximately $3.65 million through a Curve read-only reentrancy attack on its wstETH/ETH pool integration across Arbitrum and Optimism. The attacker — later self-identified as a white-hat — returned the full $3.65M in exchange for a bounty.

What happened

dForce used Curve Finance wstETH/ETH pools as a source of price information for its lending markets on Arbitrum and Optimism. The integration read Curve's reported virtual price for the pool's LP tokens to value user collateral and trigger liquidations.

The vulnerability lived in the well-documented Curve read-only reentrancy pattern. Curve's remove_liquidity function performs a sequence of state mutations and external calls — and between mutations, the pool's reported virtual price is temporarily incorrect. A contract that reads the virtual price during this gap gets a manipulated reading without any of the explicit reentrancy guards firing.

The attack:

1. Flash-borrowed stETH (and related assets) to fund the operation.
2. Deposited and then partially removed liquidity from the relevant Curve wstETH/ETH pool.
3. During the remove_liquidity execution — specifically, in the gap between two state mutations — re-entered dForce's lending contracts.
4. dForce's price-reading code consumed Curve's mid-mutation virtual price, which was temporarily depressed.
5. With dForce believing the wstETH/ETH LP price had crashed, other users' positions appeared under-collateralised and the attacker triggered liquidations at favourable rates.
6. Repaid the flash loan and walked with approximately $3.65M profit across both chains.

Aftermath

• dForce paused affected markets within hours.
• The attacker publicly identified as a white-hat via on-chain messages and entered negotiation with the dForce team.
• After agreement on a bounty payment and the dropping of any ongoing investigation, all $3.65M was returned to dForce's multi-sig.
• dForce redesigned the Curve integration with proper read-only-reentrancy-aware price reads.

Why it matters

The dForce incident is part of the Curve read-only reentrancy lineage — a vulnerability pattern that has produced recurring DeFi losses since Curve's remove_liquidity semantics became widely understood:

• Lendf.Me (Apr 2020) — original Curve reentrancy variant.
• dForce (Feb 2023) — read-only reentrancy on wstETH/ETH pool.
• Conic Finance (Jul 2023) — _isETH() check miss; same underlying bug class.
• Multiple smaller incidents at protocols integrating Curve oracles.

The structural lesson is the same one repeated for years: any protocol reading a Curve pool's internal state must explicitly handle the read-only reentrancy window. Curve has published guidance on how to safely integrate; protocols that don't follow it — typically because the relevant code was written before the guidance existed and never updated — remain exploit candidates.

The white-hat return is also instructive. dForce's incident is one of an increasing number of cases where attackers identify themselves and negotiate openly — likely because:

1. On-chain forensics has improved enough that attempting to launder a clearly-identified exploit is risky.
2. Bounty programs at major protocols offer meaningful payouts without the legal and operational overhead of laundering.
3. The white-hat framing offers legal protection that the alternative does not.

For protocol teams, negotiating in good faith with an exploiter has emerged as the highest-recovery path for moderate-sized incidents. The dForce $3.65M / 100% recovery / negotiated bounty pattern has become a small genre of its own in the post-2023 DeFi incident landscape.