UPDATE – April 21, 2020 – The hackers have returned the stolen digital assets after accidentally leaking their own IP address during the attack.
dForce, a Chinese decentralized finance (DeFi) protocol backed by Multicoin Capital has been exploited by unknown hackers.
The overall value locked in the dForce ecosystem was decreased by 100% to $6 over the last 24 hours, according to DeFi Pulse data.
One day prior, the overall value locked in the system was $24.9 million.
Notably, the Lendf.Me website which is a lending platform inside the dForce ecosystem is inaccessible at press time.
Lendf is one of the two protocols backed by the dForce Foundation.
Speaking to a Chinese blockchain media company, the lending protocol confirmed that Lendf.Me was attacked at 8:45 Beijing time Sunday at block height 9899681.
As illustrated by DeFi Pulse, hackers managed to successfully acquire access to huge quantities of Bitcoin (BTC), Ethereum (ETH), and U.S Dollar Tether (USDT).
Despite that information regarding the exploit was yet to be disclosed, it should be pointed out that in January, Lendf.Me integrated with imBTC, an Ethereum token pegged to Bitcoin.
Earlier in the day, a liquidity pool for imBTC on peer-to-peer decentralized cryptocurrency exchange Uniswap was exploited, which lead to a loss of approximately $300,000 worth of tokens.
The imBTC attack capitalized on the fact that imBTC is a Bitcoin-pegged asset designed in line with the ERC-777 standard. Since the hackers understood this, they were able to constantly call the Uniswap smart contract to withdraw funds prior to the external balance being updated.
Various DeFi and Ethereum professionals are speculating that Lendf.Me suffered a similar attack to imToken, since transaction records indicate that the hackers repeatedly called Lendf.Me’s withdrawal function to pull out imBTC that was provided to the lending protocol by the hackers initially.
Nevertheless, such scheme was not something new. Back in 2016, the notorious DAO hack utilized a comparable method that resulted in $60 million Ethereum being stolen. In the past year, a ConsenSys audit of Uniswap examined this vulnerability thoroughly.
dForce CEO Mindao Yang confirmed that the hackers have attempted to contact them, and the team intends to communicate with them.
UPDATE – April 21, 2020 – Lendf.Me and the dForce Foundation negotiated with the hackers which ultimately led to the crypto assets being returned.