A hacker has managed to exploit Multicoin Capital-backed Chinese decentralized finance protocol dForce, draining nearly all the $25 million worth of bitcoin, ether, and stablecoins locked in it.
According to DeFiPulse, the value locked in the protocol dropped from nearly $25 million to about $6 and the Lendf.Me lending platform within the dForce ecosystem is now inaccessible. The Lendf.Me platform integrated the imBTC token in January, an Ethereum token pegged to the value of the flagship cryptocurrency.
A liquidity pool for imBTC was exploited earlier on decentralized cryptocurrency exchange Uniswap for $300,000, taking advantage of the ERC-777 standard which allowed the attacker to continuously call on Uniswap’s smart contract to withdraw funds, before the external balance could be updated. On a blog post, dForce CEO Mindao Yang appeared to confirm the same exploit was used with dForce:
We know that the hackers utilized a vulnerability within the ERC777 standard of imBTC to execute a reentrancy attack. The callback mechanism of ERC777 (imBTC) enabled the hacker to supply and withdraw imBTC repeatedly before the balance was updated.
Ethereum blockchain data shows that the hacker did indeed call on Lendf.Me’s withdrawal functions to move the tokens out of it, after supplying the protocol with imBTC tokens. A similar attack, it’s worth noting, was used during the famous DAO hack in 2016.
On the blog post Yang also revealed the hacker has been in contact with the dForce team and have been in negotiations. The team appears to have send the hacker a message on the Ethereum blockchain asking for them to reach out, which they apparently did.
— Frank Topbottom (@FrankResearcher) April 20, 2020
Yang noted in the blog post that dForce has contacted “top-ranking security companies for a more comprehensive security assessment of Lendf.Me,” and is collaborating with major cryptocurrency exchanges, OTC desks, and law enforcement agencies to investigate the incident and stop the hacker from laundering the stolen funds.
While it’s unclear what dForce and the hacker discussed, it appears they have reached some sort of agreement, as blockchain data shows the hacker returned thousands of dollars with of HUSDv and HBTC, tokens pegged to the U.S. dollar and to bitcoin used on the Huobi exchange.
— Frank Topbottom (@FrankResearcher) April 19, 2020
Some analysts pointed out the hacker likely returned these assets as they’re traded on Huobi only, which could make it extremely hard to launder them. Notably, other DeFi protocols had been exploited earlier this year via flash loans.
Featured image via Pixabay.