Reentrancy Attacks on Legacy DeFi Contracts: How a Five-Year-Old Bug Drained $1.8 Million From Dolomite Users

On March 20, 2024, the cryptocurrency community witnessed yet another reminder that old code never truly dies — it just waits to be exploited. The Dolomite decentralized exchange, a protocol that had long since migrated its active operations to the Arbitrum layer-2 network, discovered that its original Ethereum-based smart contracts from 2019 were being drained by an attacker exploiting a classic reentrancy vulnerability. By the time the team disabled the old contract, approximately $1.8 million in user funds had already been siphoned and laundered through Tornado Cash.

The Exploit Mechanics

Reentrancy attacks remain one of the oldest and most devastating vulnerabilities in smart contract security. In the Dolomite incident, the attacker identified that the legacy contract — deployed in 2019, before many modern security standards were established — contained a function that allowed external callbacks before the contract’s internal state was updated. This is the textbook definition of a reentrancy vulnerability: the attacker’s contract could repeatedly call the withdrawal function before the balance was decremented, effectively withdrawing the same funds multiple times.

The attack specifically targeted users who had previously granted token approvals to the old Dolomite contract. Even though the exchange had moved its primary operations to Arbitrum, the Ethereum mainnet contract remained live and accessible. Users who had approved the old contract months or even years earlier were still exposed, as token approvals on Ethereum persist indefinitely unless manually revoked. With Bitcoin trading around $67,900 and Ethereum near $3,513 at the time, the $1.8 million loss represented a significant but not catastrophic event — yet it highlighted a systemic issue in DeFi.

Affected Systems

The Dolomite exploit was not an isolated incident on March 20, 2024. The same day, the DeFi aggregator ParaSwap disclosed a vulnerability in its newly launched Augustus V6 contract. While ParaSwap’s team acted quickly — pausing the V6 API and conducting a white hat recovery operation — the vulnerability still resulted in approximately $24,000 in losses across Polygon, Arbitrum, and Ethereum Mainnet. The ParaSwap incident stemmed from a different root cause: improper handling of the uniswapV3SwapCallback function, which allowed unauthorized redirection of funds through controllable parameters.

Together, these two incidents underscore a troubling pattern. In Dolomite’s case, the vulnerable code was five years old. In ParaSwap’s case, the contract had been live for only two days. The threat surface spans from legacy contracts that developers have forgotten about to brand-new deployments that haven’t been battle-tested. Both cases targeted users who had granted token approvals — a fundamental mechanism in DeFi that most users treat as routine.

The Mitigation Strategy

Dolomite responded by immediately disabling the legacy contract and urging all users who had ever interacted with the old version to revoke their token approvals. ParaSwap took similar action, pausing its V6 API and conducting white hat operations to secure at-risk funds before malicious actors could exploit them. Both teams emphasized the same message: check your approvals regularly.

For the broader DeFi ecosystem, these incidents reinforce several critical mitigation strategies. First, protocols should implement formal sunset procedures for legacy contracts, including explicit disable functions that prevent any future interaction. Second, users should periodically audit their active token approvals using tools like Revoke.cash or Etherscan’s token approval checker. Third, developers should adopt the checks-effects-interactions pattern — updating internal state before making external calls — to prevent reentrancy in new contracts.

Lessons Learned

The Dolomite exploit teaches a painful lesson about technical debt in DeFi. Smart contracts are immutable by design, which means vulnerabilities in old code can persist indefinitely. The protocol had moved on, but the contract had not. Users who interacted with Dolomite in 2019 may not have even remembered granting approvals, yet those permissions remained active for half a decade.

From a security perspective, the incident demonstrates that the DeFi ecosystem’s attack surface grows with every deployed contract, not just the active ones. Security researchers and attackers alike are increasingly scanning for forgotten contracts with known vulnerability patterns. The $1.8 million stolen from Dolomite represents just one successful discovery — there are likely many more legacy contracts with similar issues waiting to be found.

User Action Required

If you have ever interacted with Dolomite’s legacy Ethereum contract, ParaSwap’s Augustus V6, or any DeFi protocol that has since migrated to a new contract version, take immediate action. Navigate to Revoke.cash, connect your wallet, and review all active approvals. Revoke any approvals for contracts you are no longer actively using. This simple step takes minutes and can prevent devastating losses. In a market where Bitcoin hovers near $68,000 and DeFi total value locked exceeds $80 billion, the few minutes spent auditing your approvals could be the most profitable investment you make today.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.