DForce Loses 99.95% of Funds in Latest Test of DeFi's Resilience

Published at: April 19, 2020

Chinese decentralized finance, or DeFi, protocol dForce has been exploited in a $24.95 million hack that has resulted in its Lendf.Me lending platform going offline.

According to DeFi data aggregator DeFi Pulse, the total value of funds locked in dForce’s protocol has fallen from almost $25 million to just $10,000 overnight.

On-chain data indicates that the stolen funds have been moved into top DeFi protocols Compound and Aave.

DForce loses over 99.95% of locked funds in attack

Mindao Yang, the CEO of dForce, confirmed the attack on the project’s Telegram channel, announcing that it was attacked at 8:45 am on April 19 during block height 9.989.681.

He stated that the dForce team is currently investigating that attack, and requested that users to not place any assets on the Lendf.Me platform.

The attack is believed to have targeted a vulnerability inherent to Ethereum’s (ETH) ERC-777 token standard.

ERC-777 vulnerability believed to facilitate hack

The same exploit was used to drain more than $300,000 in wrapped Bitcoin (BTC) from smart contracts on the decentralized exchange (DEX) Uniswap containing imBTC — an ERC-777-based tokenized BTC operated by DEX TokenIon.

In response to the attack, Tokenlon announced that no BTC held in custody had been impacted, adding that they had temporarily paused imBTC transfers while considering its next move.

DForce integrated support for imBTC lending on the Lendf.Me platform in January, leading to speculation that it may have also used to exploit dForce.

DForce attacked days after Multicoin Capital investment announced

DForce’s devastating attack comes less than one week after crypto venture capital firm, Multicoin Capital, announced it had led the DeFi protocol’s $1.5 million seed round.

Multicoin Capital principal, Mable Jiang, told Cointelegraph that dForce was building DeFi’s first super-network of decentralized protocols — likening the project to Asian super-apps, WeChat and Alipay.

Since launching in September 2019, dForce’s Lendf.Me had grown to comprise the seventh-largest DeFi protocol by locked assets prior to the attack.

Tags
Related Posts
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Finance Redefined: Alchemy raises $200M, Bunny goes DAO, Feb. 4–11
Welcome to the latest edition of Cointelegraph’s decentralized finance newsletter. As the DeFi space continues its technical resurgence, essential news on funding, innovation and DAOs continues to drive adoption in what remains a nascent industry. For the full version of this newsletter including longer, more descriptive analysis of the top stories this week, subscribe below: Alchemy raises $200M in latest funding, ACH token soars 77% Web3 platform Alchemy announced the launch of a $200-million Series C funding round this week, giving the company a decacorn status and a valuation of $10.2 billion. The seven-investor round was led by two California-based …
Decentralization / Feb. 12, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
Another depeg — Acala trace report reveals 3B aUSD erroneously minted
High-profile security incidents continue to be a theme in 2022 as the Acala Network joined a long list of stricken platforms to fall prey to exploits. Acala’s aUSD token, which acts as the native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Aug. 14. Initial estimates from Acala noted that 1.2 billion aUSD were minted without the necessary collateral - seeing the token’s value depeg from its 1:1 USD ratio to a bottom of $.01. Acala put its network in maintenance mode …
Blockchain / Aug. 17, 2022
Celer Network shuts down bridge over potential DNS hijacking
Interoperability protocol Celer Network (CELR) has asked its users to revoke the approval for several contracts after shutting down its cBridge over a suspected DNS hijacking. According to the project's initial analysis, there was some suspicious DNS activity at around 7 PM (UTC) on Aug. 17. However, the platform is still trying to investigate and know more about the issue at the time of writing. Meanwhile, as the platform continues to pinpoint the problem, the team has shut down the cBridge as an initial way to avoid any more mishaps and protect their users. In addition to shutting down the …
Blockchain / Aug. 18, 2022