cointelegraph.com
Fledgling decentralized finance protocol ForceDAO has had a rough start, with several incursions from hackers taking place just hours after it launched.
The Ethereum-based yield aggregator had only just launched its airdrop campaign on April 3 when four malicious “black-hat” hackers managed to drain a total of 183 $ETH worth approximately $367,000 at the time. One friendly "white-hat" hacker alsassisted the team by alerting them to prevent further losses.
The team has released a post-mortem of the attacks and taken responsibility for what it termed as an “engineering oversight.”
POST-MORTEM
— Force (@force_dao) April 4, 2021
To the Force and DeFi community, we'd like to share a post-mortem on the recent xFORCE exploit.
Thanks to everyone technical and non-technical who helped along the way.
Especially to the White Hat who helped deter FORCE getting drained.https://t.co/MK2GH69yLd
Following the incursion, the team made a decision to transfer 60 million FORCE tokens from the treasury multi-signature wallet into a deployer wallet to create and execute three votes that would effectively burn the FORCE balances in three of the hackers’ addresses.
The post-mortem explained that the xFORCE platform affected was a fork of a SushiSwap smart-contract containing a mechanism to revert tokens in the event of failed transactions. The protocol describes xFORCE as the “interest-bearing” version of FORCE, representing shares in its pools similar to how LP tokens work.
A flaw in the contract used by ForceDAO enabled the attackers to exploit this mechanism to mint xFORCE tokens which were then withdrawn and exchanged for $ETH on the markets. The team acknowledged the attack would have been relatively easy to prevent.
“This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.”
It added that the hack was currently under investigation as some of the addresses originated from the popular exchanges FTX and Binance. A snapshot will be taken and the project will be re-launched with a new xFORCE token, it added.
Following the launch and airdrop, FORCE token prices surged to over $2 on Apr. 4, but have since crashed over 95% to $0.05 at the time of writing.