DeFi aggregator raided by five hackers on launch day

Published at: April 5, 2021

Fledgling decentralized finance, or DeFi, protocol ForceDAO has had a rough start, with several incursions from hackers taking place just hours after it launched.

The Ethereum-based yield aggregator had only just launched its airdrop campaign on April 3 when four malicious “black hat” hackers managed to drain a total of 183 Ether (ETH), worth approximately $367,000 at the time. One friendly "white hat" hacker assisted the team by alerting them to prevent further losses.

The team has released a post-mortem report of the attacks and taken responsibility for what it termed an “engineering oversight.”

POST-MORTEMTo the Force and DeFi community, we'd like to share a post-mortem on the recent xFORCE exploit.Thanks to everyone technical and non-technical who helped along the way.Especially to the White Hat who helped deter FORCE getting drained.https://t.co/MK2GH69yLd

— Force (@force_dao) April 4, 2021

Following the incursion, the team made a decision to transfer 60 million FORCE tokens from the treasury multisignature wallet into a deployer wallet to create and execute three votes that would effectively burn the FORCE balances in three of the hackers’ addresses.

The post-mortem explained that the xFORCE platform affected was a fork of a SushiSwap smart contract containing a mechanism to revert tokens in the event of failed transactions. The protocol describes xFORCE as the “interest-bearing” version of FORCE, representing shares in its pools similar to how liquidity provider tokens work.

A flaw in the contract used by ForceDAO enabled the attackers to exploit this mechanism to mint xFORCE tokens, which were then withdrawn and exchanged for ETH on the markets. The team acknowledged the attack would have been relatively easy to prevent.

“This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.”

It added that the hack was currently under investigation, as some of the addresses originated from the popular exchanges FTX and Binance. A snapshot will be taken, and the project will be relaunched with a new xFORCE token, it added.

Following the launch and airdrop, the price of FORCE surged to over $2 on Apr. 4 but has since crashed over 95% to $0.05 at the time of writing.

Tags
Related Posts
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
Finance Redefined: One hack to bring down a whole market, Feb 10–17
Finance Redefined is Cointelegraph's DeFi-centric newsletter, delivered to subscribers every Wednesday. The Alpha Homora and Cream Finance hack has made a gigantic mark in the DeFi space this week. It is the largest single hack in DeFi history at $37 million in funds stolen. It is also one of the most complex, apparently leveraging several honest-to-God vulnerabilities in Alpha Homora. A few missing input checks in very specialized conditions allowed the hacker to abuse Alpha Homora’s privilege of borrowing an unlimited amount of funds from Cream Finance’s Iron Bank. Flash loans were of course involved, but unlike some previous hacks …
Technology / Feb. 18, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023