Hackers Exploit DeFi Protocol dForce for $25 million
Multicoin Capital-backed Chinese decentralized finance protocol dForce has been exploited for about $24.9 million, losing nearly all of the total value locked in it. A lending platform within the dForce ecosystem, Lendf.Me, is also inaccessible at press time.
Lendf.Me integrated with imBTC, an Ethereum token pegged to the value of the flagship cryptocurrency, in January. A liquidity pool for imBTC on decentralized exchange Uniswap was exploited for around $300,000 at around the same time dForce was.
The imBTC attack on Uniswap used the token using the ERC-777 standard, which allowed the attacker to continuously call on Uniswap’s smart contract to withdraw funds, before the external balance could be updated. On a blog post, dForce CEO Mindao Yang wrote:
“We know that the hackers utilized a vulnerability within the ERC777 standard of imBTC to execute a reentrancy attack. The callback mechanism of ERC777 (imBTC) enabled the hacker to supply and withdraw imBTC repeatedly before the balance was updated.”
Data on the Ethereum blockchain shows the hacker repetitively called on Lendf.Me’s withdrawal functions to move imBTC out of it. The imBTC appears to have initially been supplied by the hacker. A similar attack was notably used back in 2016, in the famous DAO hack.
On the blog post, dForce CEO Mindao Yang confirmed the hacker(s) reached out to the project’s team and it intends to “enter into discussions with them.”
