LendF.Me lost $25 Million in Weekend Attack Exploit
April 20, 2020 – Lendf.me, a lending protocol from dForce Foundation has been hacked, with a total of $25 Million worth in Ether and Bitcoin stolen this weekend.
Speculation points to the integration of imBTC, an ERC-777 token pegged to Bitcoin. An exploit was used to drain worth $300,000 from the decentralized exchanged UniSwap. The smart contracts in Uniswap containing imBTC were drained. Reports say there is a known vulnerability in the ERC-777 standard – hackers can continually withdraw ERC-777 funds from Uniswap before the balance could be updated.
News website Decrypt said the funds from Lendf.Me was sent to other lending protocols like Compound and Aave.
The hackers also returned $126,014 to Lendf.Me with a note that says “Better luck next time.”
Lendf.Me was one of the largest DeFi market by value right before this attack. Before the hacker returned some funds, LendF.Me was drained down to $6.
dForce recently announced a new funding round worth $1.5 million.
In the past, it was also called out for allegedly appropriating code from Compound, one of the lending protocols were the funds were sent to by the hacker. Compound CEO Robert Leshner said the fact that imBTC was not disabled on LendF.Me is “beyond negligent“. He then proceeded to say that trusting platforms “with obvious red flags like code appropriation is a bad bad idea“, an obvious swipe at LendF and dForce foundation.
As of this writing, dForce founder Mindao Yang wrote on Medium a summary of the attack to Lendf.Me.
- On April 19, 2020, Lendf.Me was attacked with around $25 million in assets drained from the contract.
- LendF.me/dForce learned of the attach by 9:15 am (UTC +8) via internal monitoring.
- Lend.Me and USDx were paused immediately and the websites taken down to investigate the attack and assess the situation.
- It appears the hacker have concluded the attack.
- The hacker contacted dForce and the foundation intends to enter into discussions with them.
- dForce contacted law enforcement in various jurisdictions, reached out to asset issuers and exchanges to track down and blacklists the hacker’s addresses and engage their legal teams.
Mr. Yang apologizes for the attack and said he should have anticipated the attack and have taken actions to prevent it. As of press time, Mr. Yang will have a new update by 11;59 pm (UTC +8) with more details.
Sources: Coindesk, The Block, DeFi Pulse, DeCrypt, Mindao Yang on Medium
This article is published on BitPinas:ย DeFi Protocol dForce lost $25 Million in Weekend Attack Exploit