The Chinese decentralized finance (DeFi) protocol dForce has fallen victim to a well-known exploit of an Ethereum token which led to $25m worth of its customers’ cryptocurrency being stolen.
As reported by Decrypt, DForce recently announced that it had secured $1.5m in a seed funding round led by the crypto venture capital fund Multicoin Capital. However, those funds were drained from the contracts of a lending protocol that is part of dForce called Lendf.Me.
Lendf.Me is now offline and all of its smart contracts have been paused. However, the hackers did return $126.014 of the stolen funds back to the lending platform with a note, which read “Better luck next time”.
ERC777 token vulnerability
A similar attack was recently launched against the decentralized exchange Uniswap to steal over $300,000. The exchange’s smart contracts containing an Ethereum-based, tokenized version of Bitcoin run by TokenIon called imBTC were drained. The connection between the two attacks deals with the fact that Lendf.ME integrated imBTC earlier this year.
The Uniswap attack leveraged a known vulnerability in the ERC77 token standard. As a result of the way Uniswap smart contracts are set up, a hacker could continually withdraw ERC77 funds from Uniswap before the balance updated which could allow them to drain the contracts of imBTC.
While the dForce hack is entire separate from the Uniswap hack, it is believed that the same exploit was used in both attacks. The vulnerability is not new and the firm ConsenSys conducted an extensive audit of Uniswap 16 months ago, concluding that it was a “major” issue.
To make matters worse, the CEO of Compound, Robert Leshner claims that Lendf.Me had appropriated its open source code. In a tweet, Leshner called out Lendf.Me’s security, saying: “If a project doesn’t have the expertise to develop its own smart contracts, and instead steals and redeploys somebody else’s copyrighted code, it’s a sign that they don’t have the capacity or intention to consider security.”
As of now, dForce has not discussed the hack on its social media channels and it looks like the rest of the stolen funds won’t be returned anytime soon.