dForce – a China-based startup aiming to build a DeFi super network – was hacked for nearly $25M late last night. The attack was on the platform’s lending application, LendF.me, and was found to be using the same basis as the attack that drained Uniswap‘s imBTC/ETH pool the day prior.
#DeFi platform @dForcenet has been drained of $24M in capital
The loss of funds comes the same week the team closed its $1.5M investment round
More details to come 🕵️
h/t @defiprime @defipulse pic.twitter.com/kzRRtFRxJB
— DeFi Rate (@DefiRate) April 19, 2020
In short, the exploit leveraged a reentrancy attack via imBTC and its ERC777 token standard. The reentrancy vulnerability allowed the hacker to repeatedly increase his ability to borrow all other assets on the dForce’s lending platform – ultimately leading to the attacker with the ability to exit with all of the assets deposited in the lending application. Here’s a great thread explaining the attack more in depth.
ELI15 of the https://t.co/eHAfnLE7AZ attack that drained 25M funds – Thread ⬇️
— Emilio Frangella (@The3D_) April 19, 2020
In total, the attack on Lendf.Me resulted in roughly $24.75M in losses. According to the SlowMist Security Team, the asset distribution for losses on the platform is as follows:
- 55,159 WETH
- 9.01 WBTC
- 77,930 CHAI
- 320.27 HBTC
- 432,162.90 HUSD
- 480,787.88 BUSD
- 587,014.60 PAX
- 459,794.38 TUSD
- 698,916.40 USDC
- 718,0525.08 USDT
- 510,868.16 USDx
- 291.34 imBTC
The exploit comes after the team closed a $1.5M strategic round earlier this week led by Multicoin Capital, Huobi Capital, and CMBI – a subsidiary one of China’s largest banks. dForce is aiming to become a DeFi super network, attacking all verticals in open finance while targeting China’s growing demographic.
Prior to the attack, dForce was experiencing steady growth as it topped #7 on DeFi Pulse in terms of total value locked. The DeFi platform accumulated over $25M in value at its peak days before the attack.
The China-based DeFi platform has drawn criticisms from the community given the code similarities with Compound. Lendf.Me is allegedly based on the original Compound V1 smart contracts which had no reentrancy guard in place, making the platform vulnerable to supported assets based on the ERC777 token standard.
After the attack, parts of the stolen crypto assets were converted to ETH and other tokens by the attacker on DEXs like 1inch.exchange, ParaSwap, and Tokenlon. In addition, some community members have noted that some of the funds went to Compound and Aave’s lending platforms.
4)
Part of stolen funds went to @compoundfinance and @AaveAave, another part was sold for MKR, BAT, KNC, LINK.
Some kind of overly devoted DeFi fan??🧐— Frank Topbottom (@FrankResearcher) April 19, 2020
Earlier today, dForce Founder Mindao Yang released his post-mortem on the attack. He noted the team has contacted industry-leading security companies for audits and assessments on dForce’s lending platform along with exploring avenues for recapitalizing the system with its ecosystem partners. The team also noted they are in contact with the attacker and intend to enter discussions with him.
More details to come.
Key Takeaways
With the bZx exploit in February for $900k and the iEarn attack for ~$280k, the LendF.me hack was one of the biggest to date totaling for nearly $25M.
The attack emphasizes the importance of security audits along with users recognizing platform risks when using DeFi. The yields offered in DeFi are not risk-free and anyone who has capital deposited in lending platforms (centralized or decentralized) should understand the potential risks associated with nascent applications and protocols.
More importantly, DeFi’s composability presents increasing risks. As noted by Synthetix Founder, DeFi applications are only as secure as its weakest money lego.
2. Lending platforms are as strong as their weakest link, imBTC in this case.
— kain.eth (@kaiynne) April 19, 2020
If there’s a vulnerability in an asset or one application, there are potential implications for all other applications and protocols that use the respective money lego. As a broad example, if there was a vulnerability found in Compound, PoolTogether (which uses Compound’s money markets) may also incur the associated risks.
In the coming days, dForce will have to scramble to get its DeFi supernetwork back online in a secure fashion. It will be interesting to see how the team chooses to recapitalize the system and compensate the users who lost capital from the attack.
If you’re interested in staying up to date on the developments of the exploit, follow dForce’s official Twitter account.
For all things DeFi, subscribe to our newsletter!
Analyst at Bankless – one of the leading resources for open finance. Lucas is an active contributor to the DeFi ecosystem with appearances in other notable DeFi outlets including The Defiant and Our Network. He has years of experience working with dozens blockchain and token startups where he focused on token economics, marketing, and growth.