DEXODUS LOST $300K IN A SIGNATURE REPLAY ATTACK

[Here’s the Breakdown];

On May 26, Dexodus Finance — a perpetual derivatives protocol on the Base Network — suffered a devastating exploit that led to a $300,000 loss from its liquidity pool. The attack was carried out by replaying old oracle signatures, exposing a critical flaw in how the protocol verified price feeds.

What Happened?

The attacker began by taking a $10.5K flash loan from the Balancer vault. With that, they manipulated the protocol into accepting outdated oracle-signed data that set the ETH price at $1816 — significantly lower than the real market price.

With this altered data, the attacker opened a 100x leveraged long position using $10K as collateral. This ballooned the position size to $1 million. Moments later, they reverted the ETH price feed back to the correct market value and closed the position, pocketing around $300K from the Dexodus liquidity pool.

The Root Cause

Dexodus used Chainlink price feeds, which are typically reliable. However, the protocol failed to implement checks to verify the freshness of the signature data. The vulnerable part of the contract didn’t validate nonce or unique identifiers, meaning old but valid signatures could be reused.

This oversight allowed the attacker to submit previously signed price reports through the performUpKeep function. Once decoded, these reports were accepted as valid, triggering the execution of the manipulated trade. The contract even emitted a ReportVerified event, believing the data was authentic.

Post-Attack Fund Flow

After exploiting the protocol:

The attacker repaid the flash loan.

They bridged the stolen funds via Stargate to Ethereum.

107 ETH was sent to a safe multisig wallet controlled by the Dexodus team (likely a white-hat recovery).

The remaining 6.2 ETH was routed to a different wallet and later transferred to Binance — potentially as part of a bounty settlement.

#Binancenews #BinanceSquareTalks #WriteToEarnWCT #cryptonews #Kosheunti.