Hackers just exploited dForce, a DeFi contract for $25 million. A known ERC777 vulnerability led to an attack that drained a huge chunk of coin from a Uniswap pool.
April 19, 2020 | AtoZ Markets – There’s no doubt that decentralized finance (DeFi) has been central to the Ethereum ecosystem over the past year. But unfortunately, this use for the second-largest blockchain doesn’t come without its own set of flaws.
Hackers exploit DeFi lending protocol
dForce has lost about $25 million worth of its customers’ cryptocurrency due to a well-known exploit of an Ethereum token. The total value locked in the dForce ecosystem was down by 100% to $6 over the past 24 hours, per DeFi Pulse data.
A day ago, the total value locked in the system was $2.9 million. The Lendf.Me website, a lending platform within the dForce ecosystem, is also not accessible at press time.
According to a local Chinese outlet, the team has already “located the problem and advised all users to stop depositing assets in the loan agreement on the web page.” The attack happened on block 9989681. On-chain data reveals that the attacker has transferred the assets to two other platforms, namely, Compound and Aave.
Furthermore, information from the popular DeFi data monitoring resource DeFi Pulse reveals that the total value locked (TVL) in USD in dForce was dramatically reduced from $25 million to about $10,000.
Interestingly enough, the bad news comes just a few days after dForce closed a successful financing round of $1.5 million led by Multicoin Capital, which also included co-investors China Merchant Bank International and Huobi Capital.
Not the first DeFi hack
This is far from the first time a user has turned a large profit by leveraging bugs in Ethereum-based DeFi protocols over the past few months.
Just a couple of months ago, AtoZ Markets reported that almost $1 million worth of ETH was compromised following two attacks on another DeFi protocol called bZx. The two attacks weren’t exactly the same, but the gist of both of them are as follows:
- A user took out a “flash loan” of a large sum of ETH from bZx. A flash loan is where a user borrows and returns the loaned capital in the same transaction.
- The ETH was used to purchase another Ethereum-based asset.
- The user deployed manipulation to change how other protocols see the price of said Ethereum-based asset, allowing for profits to be made due to price oracles registering the false values.
The attacks saw bZx users lose $300,000 and around $650,000, for a total of nearly $1 million.
Last year during Ethereal Summit, Vitalik Buterin discussed DeFi protocols and outlined a lot of their benefits. However, he warned that people shouldn’t put their money into them.
What do you think about the dForce losing over 99 percent of its assets? Share your thoughts in the comment section below.