An article from CertiK and Cointelegraph has revealed that the Dolomite crypto exchange fell victim to an exploit on an old contract, resulting in the theft of around $1.8 million. Users who had previously given approvals to the contract were affected, and the development team has advised them to revoke those approvals to the Ethereum Dolomite address beginning with 0xe2466.
The team clarified that users who had only interacted with the current version of Dolomite on Arbitrum should not be impacted. They have taken action by disabling the faulty contract to protect users who have not yet fallen victim to the attack. Nevertheless, the team emphasized the importance of revoking approvals to the contract.
Dolomite, a decentralized exchange and money market protocol, currently operates on Arbitrum and Polygon zkEVM. It was initially launched on Ethereum in 2019 but was later migrated to the Arbitrum network in 2022, gradually phasing out support for the Ethereum version. Despite this, users can still interact with the Ethereum version using developer tools due to the immutability of smart contracts.
According to CertiK’s report, the attacker exploited a function called “callFunction,” which allows users to make arbitrary calls. Normally, this function is protected by a “noEntry” modifier that should prevent reentrancy attacks. However, the TradeManager contract located at 0xe2466 can bypass this guard as it contains a “call” function without a reentrancy guard. As a result, the attacker was able to drain funds from users using this contract.
The stolen funds were then transferred to address 0x5eAA7DadA44d59549A6c58008b2bd3C7F81d2502 and subsequently deposited into Tornado cash, as confirmed by CertiK.
This exploit is one of several that have taken place in March. On March 11, the Unizen protocol on Ethereum experienced a loss of over $2.1 million due to an approval exploit. The development team pledged to reimburse affected users promptly. Additionally, on March 15, Mozaic Finance lost over $2.4 million as a result of a compromise of their private key.