Force DAO, A DeFi Hedge Fund, Loses Over $375k in xFORCE Token Exploit
The decentralized finance hedge fund, ForceDAO, confirmed the protocol suffered an attack on Sunday at around 7.06 AM UTC. According to a blog post by the ForceDAO team, the attack was instituted by five black hat attackers, with one of the attackers returning the funds.
On Sunday, DeFi hedge fund, ForceDAO announced an attack on its protocol – specifically the xFORCE contract. In a post mortem report from the ForceDAO team, a total of 183 ETH (~$367,000) was drained and liquidated on the contract exploit.
Our team is aware of the xFORCE contract exploit and has identified the nature of the issue.
There are no further funds available on the xFORCE contract to be exploited.
All other vaults are safe.
We will provide a post-mortem and next steps over the coming hours.
— Force (@force_dao) April 4, 2021
The attack was noticed first by a white-hat hacker, who started draining funds from the xFORCE contract and later returned the funds to the ForceDAO multisig wallet. Explaining the exploit, Polymath’s Mudit Gupta said the FORCE token transfer functions return false rather than reverting when the sender doesn’t have enough balance in their wallet.
“The xFORCE contract assumes FORCE will revert and does not handle the returned value,” Gupta explains.
This means anyone can deposit the synthetic FORCE tokens, xFORCE, even if they do not have any FORCE tokens. Hence, the attackers could mint fresh xFORCE tokens without the xFORCE contract locking up any FORCE tokens.
Once you have the xFORCE tokens, you can withdraw the real FORCE tokens from the xFORCE contract by calling the `withdraw` function and exchanging your xFORCE tokens for FORCE tokens.
The xFORCE contract has already been drained by https://t.co/pCfyPP2NS9
— Mudit Gupta (@Mudit__Gupta) April 4, 2021
Four black hat hackers did not return their funds but rather sold them on the open market totaling $367,000 in losses for the xFORCE contract. Here is a complete list of addresses the hackers used to drain the funds.
- Black hat hacker 1: https://etherscan.io/address/0x9d9c3695c54601929cd72d34a52935268eb9b00b
- BH hacker 2: https://etherscan.io/address/0xe29a07002c7be4299b51a2892799cc4a372994dd
- BH hacker 3: https://etherscan.io/address/0x0608576ea47b265f1f16b8b8383d0508f703a0cb
- BH hacker 4: https://etherscan.io/address/0x00000b20f0f6a3a212aa6b85106709cd5941457c
According to the post, Force, xForce, and Force/ETH LPs on UniSwap and SushiSwap were all affected. The team has since removed all xFORCE tokens from the contract to prevent further hacks. Alberto Cevallos, the founder of ForceDAO, confirmed they would be refunding any affected parties in the hack and reward the white hat hacker.
“I can confirm that there will be a snapshot and new token,” Cevallos said. “We’ve begun internal re-structuring and will be announcing a plan over the coming days making any affected FORCE holders and LPs whole.”