DeFi Protocol dForce Loses Over $25 Million Worth Of Cryptocurrencies To Hackers

UPDATE – April 21, 2020 – The hackers have returned the stolen digital assets after accidentally leaking their own IP address during the attack.

dForce, a Chinese decentralized finance (DeFi) protocol backed by Multicoin Capital has been exploited by unknown hackers.

The overall value locked in the dForce ecosystem was decreased by 100% to $6 over the last 24 hours, according to DeFi Pulse data.

One day prior, the overall value locked in the system was $24.9 million.

Notably, the Lendf.Me website which is a lending platform inside the dForce ecosystem is inaccessible at press time.

Lendf is one of the two protocols backed by the dForce Foundation.

Speaking to a Chinese blockchain media company, the lending protocol confirmed that Lendf.Me was attacked at 8:45 Beijing time Sunday at block height 9899681.

As illustrated by DeFi Pulse, hackers managed to successfully acquire access to huge quantities of Bitcoin (BTC), Ethereum (ETH), and U.S Dollar Tether (USDT).

• 

Despite that information regarding the exploit was yet to be disclosed, it should be pointed out that in January, Lendf.Me integrated with imBTC, an Ethereum token pegged to Bitcoin.

Earlier in the day, a liquidity pool for imBTC on peer-to-peer decentralized cryptocurrency exchange Uniswap was exploited, which lead to a loss of approximately $300,000 worth of tokens.

The imBTC attack capitalized on the fact that imBTC is a Bitcoin-pegged asset designed in line with the ERC-777 standard. Since the hackers understood this, they were able to constantly call the Uniswap smart contract to withdraw funds prior to the external balance being updated.

Looks like the @LendfMe hacker abused the same reentrancy issues of @tokenlon's ERC777 $imBTC token which was used yesterday to drain the imBTC/ETH pool on @UniswapProtocol

$25M gone just like that, dust in the wind, be careful out there frens$ETH #DeFi https://t.co/9hDvgo1Hqk pic.twitter.com/j3TktP54Tf

— ChainLinkGod.eth (@ChainLinkGod) April 19, 2020

Various DeFi and Ethereum professionals are speculating that Lendf.Me suffered a similar attack to imToken, since transaction records indicate that the hackers repeatedly called Lendf.Me’s withdrawal function to pull out imBTC that was provided to the lending protocol by the hackers initially.

This is the same exploit, hacker achieved unlimited collaterals then drain the pool by borrowing. https://t.co/WkicR04YpT pic.twitter.com/0DcuagwMpz

— WooParadog (@WooParadog) April 19, 2020

• 

Nevertheless, such scheme was not something new. Back in 2016, the notorious DAO hack utilized a comparable method that resulted in $60 million Ethereum being stolen. In the past year, a ConsenSys audit of Uniswap examined this vulnerability thoroughly.

dForce CEO Mindao Yang confirmed that the hackers have attempted to contact them, and the team intends to communicate with them.

UPDATE – April 21, 2020 – Lendf.Me and the dForce Foundation negotiated with the hackers which ultimately led to the crypto assets being returned.

Now the attacker has returned virtually all funds. He took away $25 million and returned $23.8 million. The disparity is likely only because price went down slightly in the last two days. So there is no doubt in my mind that the attacker got caught and was forced to return it

— Larry Cermak (@lawmaster) April 21, 2020