LendF.Me lost $25 Million in Weekend Attack Exploit

Share some Bitpinas love:

April 20, 2020 – Lendf.me, a lending protocol from dForce Foundation has been hacked, with a total of $25 Million worth in Ether and Bitcoin stolen this weekend.

Speculation points to the integration of imBTC, an ERC-777 token pegged to Bitcoin. An exploit was used to drain worth $300,000 from the decentralized exchanged UniSwap. The smart contracts in Uniswap containing imBTC were drained. Reports say there is a known vulnerability in the ERC-777 standard – hackers can continually withdraw ERC-777 funds from Uniswap before the balance could be updated.

News website Decrypt said the funds from Lendf.Me was sent to other lending protocols like Compound and Aave.

The hackers also returned $126,014 to Lendf.Me with a note that says “Better luck next time.”

Lendf.Me was one of the largest DeFi market by value right before this attack. Before the hacker returned some funds, LendF.Me was drained down to $6.

dForce recently announced a new funding round worth $1.5 million.

In the past, it was also called out for allegedly appropriating code from Compound, one of the lending protocols were the funds were sent to by the hacker. Compound CEO Robert Leshner said the fact that imBTC was not disabled on LendF.Me is “beyond negligent“. He then proceeded to say that trusting platforms “with obvious red flags like code appropriation is a bad bad idea“, an obvious swipe at LendF and dForce foundation.

As of this writing, dForce founder Mindao Yang wrote on Medium a summary of the attack to Lendf.Me.

  1. On April 19, 2020, Lendf.Me was attacked with around $25 million in assets drained from the contract.
  2. LendF.me/dForce learned of the attach by 9:15 am (UTC +8) via internal monitoring.
  3. Lend.Me and USDx were paused immediately and the websites taken down to investigate the attack and assess the situation.
  4. It appears the hacker have concluded the attack.
  5. The hacker contacted dForce and the foundation intends to enter into discussions with them.
  6. dForce contacted law enforcement in various jurisdictions, reached out to asset issuers and exchanges to track down and blacklists the hacker’s addresses and engage their legal teams.

Mr. Yang apologizes for the attack and said he should have anticipated the attack and have taken actions to prevent it. As of press time, Mr. Yang will have a new update by 11;59 pm (UTC +8) with more details.

Sources: Coindesk, The Block, DeFi Pulse, DeCrypt, Mindao Yang on Medium

This article is published on BitPinas: DeFi Protocol dForce lost $25 Million in Weekend Attack Exploit

Share some Bitpinas love:

Crypto and Web3 Jobs Philippines

New on BitPinas: Web3 and Crypto Job Portal

Fastbreak News:

Follow on social and subscribe to our newsletter
8 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

… [Trackback]

[…] There you will find 61794 additional Info to that Topic: bitpinas.com/news/defi-protocol-dforce-lost-25-million-weekend-attack-exploit/ […]

… [Trackback]

[…] There you can find 64250 more Information to that Topic: bitpinas.com/news/defi-protocol-dforce-lost-25-million-weekend-attack-exploit/ […]

trackback

… [Trackback]

[…] Info on that Topic: bitpinas.com/news/defi-protocol-dforce-lost-25-million-weekend-attack-exploit/ […]

trackback

… [Trackback]

[…] Info to that Topic: bitpinas.com/news/defi-protocol-dforce-lost-25-million-weekend-attack-exploit/ […]

trackback

… [Trackback]

[…] There you will find 82067 additional Info on that Topic: bitpinas.com/news/defi-protocol-dforce-lost-25-million-weekend-attack-exploit/ […]

… [Trackback]

[…] Info to that Topic: bitpinas.com/news/defi-protocol-dforce-lost-25-million-weekend-attack-exploit/ […]

trackback

… [Trackback]

[…] Find More here on that Topic: bitpinas.com/news/defi-protocol-dforce-lost-25-million-weekend-attack-exploit/ […]

trackback

… [Trackback]

[…] There you will find 19896 additional Information on that Topic: bitpinas.com/news/defi-protocol-dforce-lost-25-million-weekend-attack-exploit/ […]