An article from CertiK and Cointelegraph on March 20 revealed that the Dolomite crypto exchange fell victim to an old contract exploit, resulting in approximately $1.8 million in losses. Users who had previously granted approvals to the contract were affected by the exploit. To mitigate the damage, the development team advised users to revoke approvals to the Ethereum Dolomite address starting with 0xe2466.
The team clarified that users who had only interacted with the current version on Arbitrum would not be affected by the exploit. Additionally, they disabled the faulty contract to protect users who had not yet been targeted. Nonetheless, the team recommended that all users revoke approvals to the contract.
Dolomite, a decentralized exchange and money market protocol, currently operates on Arbitrum and Polygon zkEVM. Originally launched on Ethereum in 2019, the team migrated the platform to the Arbitrum network in 2022, gradually phasing out support for the Ethereum version. Despite this, users can still engage with the Ethereum version using developer tools due to the immutability of smart contracts.
According to the CertiK report, the attacker took advantage of a function called “callFunction” that allows users to make arbitrary calls. This function is protected by a “noEntry” modifier, which should typically prevent reentrancy attacks. However, the TradeManager contract located at 0xe2466 bypasses this guard by containing a “call” function without a reentrancy guard. Consequently, the attacker used this contract to drain funds from users, as outlined by CertiK.
The stolen funds were transferred to address 0x5eAA7DadA44d59549A6c58008b2bd3C7F81d2502 and subsequently deposited into Tornado cash, according to CertiK.
This exploit is one of several incidents that occurred in March. On March 11, the Unizen protocol on Ethereum suffered losses of over $2.1 million due to an approval exploit. The development team pledged to reimburse affected users promptly. On March 15, Mozaic Finance lost over $2.4 million due to a compromise of their private key.