Chinese decentralized finance (DeFi) protocol dForce fell victim to a known Ethereum token exploit that resulted in €25 million worth of cryptocurrency being stolen from its clients. As reported by Decrypt, DForce recently announced that it had raised €1.5 million in a seed funding round led by cryptocurrency venture capital fund Multicoin Capital. However, these funds were obtained from the contracts of a lending protocol that is part of dForce called Lendf.Me. Lendf.Me is now offline and all of its smart contracts have been suspended. However, the hackers returned €126,014 of the stolen funds to the lending platform with a note reading "Better luck next time."
ERC777 token vulnerability
A similar attack was recently launched against decentralized exchange Uniswap to steal more than €300,000. Smart exchange contracts containing an Ethereum-based token version of Bitcoin run by TokenIon called imBTC have been depleted. The link between the two attacks relates to the fact that Lendf.ME joined imBTC earlier this year. The Uniswap attack exploited a known vulnerability in the ERC77 token standard. Due to the way Uniswap smart contracts are set up, a hacker could continually withdraw ERC77 funds from Uniswap before the balance is updated, potentially allowing them to void imBTC contracts. Although the dForce hack is completely separate from the Uniswap hack, it is believed that the same exploit was used in both attacks. The vulnerability is not new, and firm ConsenSys conducted an in-depth audit of Uniswap 16 months ago, concluding that it was a "significant" issue. To make matters worse, Compound CEO Robert Leshner says Lendf.Me had hijacked its open source code. In a tweet, Leshner called Lendf.Me security, saying: "If a project doesn't have the expertise to develop its own smart contracts, and instead steals and redeploys another's copyrighted code person, it is a sign that they do not have the ability or intent to consider security. For now, dForce has not discussed the hack on their social media and it appears that the rest of the stolen funds will not be returned any time soon. decipher