On Sunday, DeFi hedge fund, ForceDAO announced an attack on its protocol – specifically the xFORCE contract. In a post mortem report from the ForceDAO team, a total of 183 ETH (~$367,000) was drained and liquidated on the contract exploit. https://twitter.com/force_dao/status/1378643450803929089?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1378643450803929089%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.coindesk.com%2Fdefi-hedge-fund-force-dao-attacked-force-token-plunges The attack was noticed first by a white-hat hacker, who started draining funds from the xFORCE contract and later returned the funds to the ForceDAO multisig wallet. Explaining the exploit, Polymath’s Mudit Gupta said the FORCE token transfer functions return false rather than reverting when the sender doesn’t have enough balance in their wallet. “The xFORCE contract assumes FORCE will revert and does not handle the returned value,” Gupta explains. This means anyone can deposit the synthetic FORCE tokens, xFORCE, even if they do not have any FORCE tokens. Hence, the attackers could mint fresh xFORCE tokens without the xFORCE contract locking up any FORCE tokens. https://twitter.com/Mudit__Gupta/status/1378631648976064517 Four black hat hackers did not return their funds but rather sold them on the open market totaling $367,000 in losses for the xFORCE contract. Here is a complete list of addresses the hackers used to drain the funds.
- Black hat hacker 1: https://etherscan.io/address/0x9d9c3695c54601929cd72d34a52935268eb9b00b
- BH hacker 2: https://etherscan.io/address/0xe29a07002c7be4299b51a2892799cc4a372994dd
- BH hacker 3: https://etherscan.io/address/0x0608576ea47b265f1f16b8b8383d0508f703a0cb
- BH hacker 4: https://etherscan.io/address/0x00000b20f0f6a3a212aa6b85106709cd5941457c