A sophisticated attacker exploited a vulnerability in Dolomite Exchange’s legacy smart contract on March 21, 2024, siphoning approximately $1.8 million in USDC from users who still held positions on the protocol’s original Ethereum deployment. The breach highlights the persistent risks that abandoned but immutable smart contracts pose to the broader DeFi ecosystem, even as projects migrate to newer networks.
The Exploit Mechanics
The attack targeted the DolomiteMarginProtocol contract, an older smart contract that had been in use since Dolomite’s initial 2019 launch on Ethereum. Although Dolomite migrated its primary operations to Arbitrum in 2022, the original Ethereum contracts remained active and accessible due to the immutable nature of blockchain-deployed code. The vulnerability originated from owner-level permissions that predated their removal in 2020, specifically through a function called callFunction, which enabled arbitrary code execution.
According to blockchain security firm CertiK, the attacker exploited the callFunction feature, which allowed calls to any arbitrary code despite the presence of a “noEntry” modifier designed to prevent reentrancy attacks. The attacker circumvented this safeguard by leveraging a function housed in a separate contract called SoloMargin, effectively bypassing the intended security measures and draining user funds from the protocol.
With Bitcoin trading near $65,491 and Ethereum at approximately $3,493 at the time of the attack, the $1.8 million loss represented a significant breach that underscored how legacy infrastructure can become an attractive target for sophisticated exploiters.
Affected Systems
The breach specifically impacted users who continued to maintain positions on Dolomite’s Ethereum-based deployment. The protocol, which functions as both a decentralized exchange and a money market, had not enforced migration of all user funds when transitioning to Arbitrum. Users who left assets in the older Ethereum contracts were exposed to the vulnerability. The affected contract, DolomiteMarginProtocol, retained dangerous permission structures from its original design, creating a persistent attack surface that existed for years without being adequately addressed.
The Mitigation Strategy
Following the discovery of the breach, Dolomite’s development team moved quickly to issue mitigation measures. The response included warning remaining users on the Ethereum deployment to withdraw their funds immediately. The team also coordinated with blockchain security researchers to analyze the full scope of the attack and identify any additional vulnerabilities in the legacy codebase.
For the broader DeFi community, this incident serves as a stark reminder that migrating to a new network does not automatically neutralize risks associated with legacy contracts. Projects must implement comprehensive migration plans that include full user fund withdrawals and, where possible, disable vulnerable functions on older deployments.
Lessons Learned
The Dolomite breach reveals several critical lessons for both developers and users. First, immutable smart contracts require proactive lifecycle management — teams cannot assume that migrating to a new chain eliminates exposure on the old one. Second, permission structures, particularly owner-level privileges, should be audited and revoked on legacy deployments even after a project has moved on. Third, users must remain vigilant about where their assets are deployed, especially when protocols announce migrations or network changes.
On the same day, two other significant security incidents rocked the crypto space: the Super Sushi Samurai exploit drained $4.6 million from a Blast L2 game, and the Layerswap domain hijack compromised approximately $100,000 in user funds. The confluence of these attacks demonstrates that March 2024 has been an extraordinarily active period for crypto exploits.
User Action Required
If you held funds on Dolomite’s original Ethereum deployment, you should immediately check your wallet positions and contact the Dolomite team through their official channels. For all DeFi users, this incident underscores the importance of withdrawing funds from legacy protocol deployments when teams announce migrations. Always verify which network your assets are deployed on and whether the active contracts on that network are still being maintained and audited by the development team.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
legacy contracts sitting around with owner keys still active in 2024 is wild. immutable code is a feature until its not
exactly. they migrated to arbitrum but just… left the old contracts running? with user funds still in them? come on
depeg_crane they probably assumed migration meant users would move. but you cant assume that with immutable contracts sitting there with real money in them
sol_ferret immutable code is great until its a liability. there needs to be a kill switch standard for deprecated contracts with user funds
immutable contracts with active admin keys in 2024 is negligence full stop. migration plan should include explicit key rotation or time locked deprecation
callFunction with arbitrary execution is the kind of thing that should have been killed in 2020 when they removed owner permissions. how do you remove permissions but leave the backdoor?
Felix W. thats the real question. they removed owner permissions but left callFunction active. thats like changing the front door lock but leaving the back window open.
removing owner permissions but leaving callFunction exposed is like changing the front door locks and leaving a key under the mat. unbelievable oversight
certik flagged it but the funds were already moving. $1.8m gone because nobody bothered to decommission a 2019 deployment
callFunction allowing arbitrary execution through the noEntry modifier is 2017 tier code. three audits and nobody caught it because everyone looked at the new Arbitrum deployment
projects that migrate should be required to publish a decommission plan for legacy contracts. leaving immutable code with user funds and no exit path is irresponsible
decommission plans for legacy contracts should be mandatory. ethereum gives you EIPs for upgrade patterns but nobody uses basic access control cleanup