The decentralized finance (DeFi) community has been shocked once again by probably this year’s biggest crypto hacking that resulted in a loss of US$25 million [AU$39.7 million] in BTC and ETH.
It looks like LendfMe / dForce protocol being drained 🚨 pic.twitter.com/UEqSEpSOfT
— defiprime (@defiprime) April 19, 2020
The DeFi Prime explorer data revealed extremely unusual activity this weekend from dForce, a DeFi platform based on the Ethereum blockchain. The hacking drained 100% of dForce’s pooled assets worth approximately $25 million in Ethereum and Bitcoin.
Lendf.Me, the lending application platform in the dForce ecosystem, confirmed that the hacking occurred at 8:45 BST. It can be traced back from the block height 9.899.681.
Meanwhile, dForce advised users not to put any of their assets on the platform for the meantime.
According to the data from DeFi Pulse, the attack was initiated through the imBTC token and its ERC-777 token standard. Many are suspecting that the attackers exploited the vulnerability of the ERC-777 token in order to launch “reentrancy attacks.”
Further investigations are still on-going.
How much was lost?
According to the data provided by SlowMist Security Team, the asset distribution for losses on the platform is as follows:
- BUSD: 480787.88767
- CHAI: 77930.93433
- HBTC: 320.27714
- HUSD: 432162.90569
- imBTC: 291.3471
- WETH: 55159.02134
- WBTC: 9.01152
- PAX: 587014.60367
- TUSD: 459794.38763
- USDC: 698916.40348
- USDT: 7180525.08156
- USDx: 510868.16067
What is the DeFi community saying?
The DeFi community is dismayed about the hacking. This is apparently not the first time that the imBTC tokens were exploited by attackers.
Uniswap suffered from the same mode of attack earlier this year.
The method used by attackers allowed them to obtain an unlimited amount of collateral, giving them the opportunity to borrow tons of money to drain dForce’s pooled assets.
Incidentally, the attack happened after they closed their $1.5 million strategic funding round in the same week. Multicoin Capital, Huobi Capital, and CMBI led the funding round.
If a project doesn't have the expertise to develop it's own smart contracts, and instead steals and redeploys somebody else's copyrighted code, it's a sign that they don't have the capacity or intention to consider security.
Hope developers & users learn from the @LendfMe hack.
— Robert Leshner (@rleshner) April 19, 2020
According to many critics of the platform, dForce only copied the code from Compound’s lending protocol. However, it copied a version of the Compound protocol that did not have any security against reentrancy attacks.
Following the breach, a tracking revealed that the stolen assets were already converted into ETH and other tokens on decentralized exchanges like Paraswap, 1inch.exchange, and Tokenlon.
Some of the stolen funds went to Compound and Aave’s lending platforms as well.
If anything, what developers have to learn from what happened to dForce is the importance of performing stringent security audits whenever finalizing platforms built on DeFi.
It also showed composability concerns on DeFi platforms, where every entity in a protocol’s ecosystem is expected to be making sure that that they keep risks to a minimal level, if not none.
Featured image courtesy of Jack Moreh/Stockvault