DForce DeFi Protocol Breached, $25 Million in BTC and ETH Lost

On April 19, the decentralized finance (DeFi) Prime explorer discovered strange activity on the dForce multi-purpose protocol. It soon became relatively clear that the China-based Defi protocol’s funds were wiped out entirely. Up to 25 million dollars of customers’ crypto was lost due to an entirely-known exploit that exists on an ETH token.

On April 14, dForce said that it acquired 1.5 million dollars in a seed round that was spearheaded by crypto VC fund Multicoin Capital. The money was siphoned from the Lendf.Me contracts. By description, Lendf.Me is a lending protocol that operates as a part of dForce in a huge collection of DeFi protocols.

Up to now, the identity of the criminal remains unknown and their motive for this theft is not yet clear. The address that conducted this ‘crime’ was set up a few hours before perpetrating the hack. Nobody has succeeded in linking the address to a person’s identity through exchange data, for now. But, people are reaching out trying to negotiate with the hacker.

Since that hack, Lendf.Me went offline and as expected all its smart contracts have all been suspended. The stolen tokens were sent to Decentralized Finance lending protocols Aave and Compound. The founder who is also the CEO of Aave, Stani Kulechov, said that approximately 10 million dollars of the stolen token funds were sent to his protocol.

In a strange development, the hackers reimbursed up to $126,014 to Lendf.Me. All that money was returned to the owner with a note that read, “Better luck next time,” according to Chain News.

Uniswap Attack

This hack used similar criteria to an already known Ethereum exploit channel that was used on April 18 to steal over $300,000 dollars from Uniswap decentralized exchange. It was confirmed that all Uniswap smart contracts that comprise of imBTC, an ETH-based, tokenized version of BTC that is operated by TokenIon, were entirely drained. Lendf.Me integrated these imBTC tokens in January 2020.

The Uniswap cyberattack reportedly exploited an already known shortcoming that majorly affects the ERC777 token standard. A cybercriminal can constantly withdraw as much ERC777 token funds as they want from Uniswap platform before the remaining balance is updated due to the manner in which these smart contracts are designed. This method can gradually and constantly deplete the contracts of imBTC before anyone notices it.

The dForce cyberattack is completely separate from the Uniswap cybercrime but it is believed to have used a majorly similar exploitation strategy.

Both Lendf.Me and Tokenlon immediately suspended their smart contracts in the wake of these attacks.

Today, the imBTC pool on Uniswap has been attacked & drained. The hacker utilized an attack vector on ERC777 tokens on Uniswap.

The BTC in custody is not impacted.

We have paused imBTC transfers for now, are evaluating the situation & will notify when transfers are restored

— Tokenlon DEX (@tokenlon) April 18, 2020

In that context, a dForce spokesperson told reporters that the matter is still under critical investigation.

New Attack, Old Strategy

DeFi Rate said that the vulnerability is not new since it resembles the 2016 attack on The DAO. ConsenSys called out the vulnerability in a lengthy exhaustive audit on Uniswap that happened 16 months ago. They concluded that it was a major issue back then. Uniswap will fix the shortcoming in an upgrade that is scheduled to take place later this month.

The CEO of Compound, Robert Leshner, alleges that Lendf.Me had appropriated its open-source code. A report from The Block in January discovered that the term ‘Compound’ featured four times in dForce’s contract.

Up to now, dForce has remained conspicuously quiet about the hacking on all their social medial channels. David Liu is one of the affected users who alleges that he lost around $100,000. He says that it is frustrating. After February’s exploits and unprecedented activities on bZx, in which approximately $1 million was stolen, the investors may become fearful to give their money to any types of smart contracts. For the last three months, these attacks have happened every month.

Currently, much of the money is found in Aave. Returning the money to the owners is challenging since Aave is a decentralized finance platform.