$25 million in BTC, ETH stolen in dForce hacking

US$25 million in BTC, ETH stolen in dForce hacking

The decentralized finance (DeFi) community has been shocked once again by probably this year’s biggest crypto hacking that resulted in a loss of US$25 million [AU$39.7 million] in BTC and ETH.

The DeFi Prime explorer data revealed extremely unusual activity this weekend from dForce, a DeFi platform based on the Ethereum blockchain. The hacking drained 100% of dForce’s pooled assets worth approximately $25 million in Ethereum and Bitcoin.

Lendf.Me, the lending application platform in the dForce ecosystem, confirmed that the hacking occurred at 8:45 BST. It can be traced back from the block height 9.899.681.

Meanwhile, dForce advised users not to put any of their assets on the platform for the meantime.

According to the data from DeFi Pulse, the attack was initiated through the imBTC token and its ERC-777 token standard. Many are suspecting that the attackers exploited the vulnerability of the ERC-777 token in order to launch “reentrancy attacks.”

Further investigations are still on-going.

How much was lost?

According to the data provided by SlowMist Security Team, the asset distribution for losses on the platform is as follows:

  • BUSD: 480787.88767
  • CHAI: 77930.93433
  • HBTC: 320.27714
  • HUSD: 432162.90569
  • imBTC: 291.3471
  • WETH: 55159.02134
  • WBTC: 9.01152
  • PAX: 587014.60367
  • TUSD: 459794.38763
  • USDC: 698916.40348
  • USDT: 7180525.08156
  • USDx: 510868.16067

What is the DeFi community saying?

The DeFi community is dismayed about the hacking. This is apparently not the first time that the imBTC tokens were exploited by attackers.

Uniswap suffered from the same mode of attack earlier this year.

The method used by attackers allowed them to obtain an unlimited amount of collateral, giving them the opportunity to borrow tons of money to drain dForce’s pooled assets.

Incidentally, the attack happened after they closed their $1.5 million strategic funding round in the same week. Multicoin Capital, Huobi Capital, and CMBI led the funding round.

According to many critics of the platform, dForce only copied the code from Compound’s lending protocol. However, it copied a version of the Compound protocol that did not have any security against reentrancy attacks.

Following the breach, a tracking revealed that the stolen assets were already converted into ETH and other tokens on decentralized exchanges like Paraswap, 1inch.exchange, and Tokenlon.

Some of the stolen funds went to Compound and Aave’s lending platforms as well.

If anything, what developers have to learn from what happened to dForce is the importance of performing stringent security audits whenever finalizing platforms built on DeFi.

It also showed composability concerns on DeFi platforms, where every entity in a protocol’s ecosystem is expected to be making sure that that they keep risks to a minimal level, if not none.

Featured image courtesy of Jack Moreh/Stockvault

Micky is a news site and does not provide trading, investing, or other financial advice. By using this website, you affirm that you have read and agree to abide by our Terms and Conditions.
Micky readers - you can get a 10% discount on trading fees on FTX and Binance when you sign up using the links above.