In the largest decentralized finance (DeFi) hack so far, $25 million were drained from the dForce smart contract.
On April 19, Lendf.Me, the lending protocol in the Multicoin Capital-backed network dForce was attacked. As per the company's report, they became aware of the breach at 9:15 am (UTC+8) and temporarily paused Lendf.Me and USDx.
The hackers exploited a weakness with a mix of using ERC777 tokens and DeFi smart contract to secure the reentry attack. In this attack, 99.9% of dForce’s funds have been lost which also includes the funds of the co-founder himself.
Mindao YANG, Founder of dForce and founding partner of Blockpower Capital wrote,
“The callback mechanism enabled the hacker to supply and withdraw ERC777 tokens repeatedly before the balance was updated.”
According to Yang, they have been contacted by the hacker/s and wish to hash this out with them. They have also reached out to exchanges to help find and blacklist the addresses belonging to the hackers.
dForce wasn’t the only one, a day before that, DeFi platform Uniswap was also attacked by a hacker where the attacker exploited the vulnerability to drain the Uniswap liquidity pool of ETH-imBTC (of about $1,278 ETH worth $228k).
Part of these stolen funds have already made their way to other DeFi projects like Compound Finance and are being sold for other crypto assets.
Currently, there is an exchange going on between the hacker and dForce. The dForce attacker also sent $126k in PAX back to the project’s admin account with a “better future” memo and dForce has also reached out with their contact email. Victims are also sending $0 transactions to the attacker pleading with them to return their funds.
dForce was also accused of shipping its code from Compound Finance and with this trend continuing to accelerate, it warrants increased focus and funds directed towards their security.
If a project doesn't have the expertise to develop it's own smart contracts, and instead steals and redeploys somebody else's copyrighted code, it's a sign that they don't have the capacity or intention to consider security.
Hope developers & users learn from the @LendfMe hack.
— 🤖 Leshner (@rleshner) April 19, 2020
Yet another DeFi hack is raising questions on the resilience of these projects and the DeFi sector, also these so-called “decentralized” projects’ ability to pause their networks. However, Melody He, co-founder, and partner at crypto hedge fund The Spartan Group says,
“The Dao didn’t kill Ethereum, Parity hack didn’t stop Polkadot, this incident will not be hope lost for Defi. But we have to acknowledge Defi is far away from deserving mainstream adoption.”