According to ChainCatcher, the SlowMist security team reported that the DFX Finance project on the ETH chain was attacked, and the attacker made a profit of approximately $231,138. The SlowMist security team shared the following in a newsletter:

1. The attacker first called the viewDeposit function in the contract named Curve to view the deposit status in the contract, and then constructed a suitable flash loan based on the returned deposit status.

2. Then continue to use the flash function of the Curve contract for flash loan. Because the function is not protected by reentry lock, the attacker uses the flashCallback function in the flash loan to call back the deposit function of the contract to make a deposit.

3. The deposit function externally calls the proportionalDeposit function of the ProportionalLiquidity contract, in which the funds borrowed in the second step are transferred back to the Curve contract, and the deposit is recorded for the attack contract, and a deposit certificate is minted for the attack contract.

4. The balance check for flash loan repayment was successfully passed by using the reentrant deposit function to transfer funds back to the Curve contract

5. Finally, the withdraw function is called to withdraw funds. When withdrawing funds, the deposit certificate will be burned according to the attack contract account when depositing in the third step, and about 2,283,092,402 XIDR tokens and 99,866 USDC tokens will be successfully withdrawn for profit.

The main reason for this attack is that the flash loan function of the Curve contract does not have reentry protection, which causes the attacker to reenter the deposit function to transfer tokens to determine the balance of the flash loan repayment. Since the deposit is recorded, the attacker can successfully withdraw the money and make a profit. (Source link)