DForce Attacker Returns All of the $25 Million in Stolen Funds

Chinese DeFi lending platform, dForce, has received all of its roughly $25 million in stolen funds returned. The surprise move is likely because the attacker failed to cover up his or her tracks, with metadata linked to the attacker offering much data about the attacker’s possible identity.

This is insane. The lendf/dForce hacker is in the process of returning all the hacked funds to the admin:

$10M of ETH
$6.6M of USDT
$2.2M of HBTC
$750K of USDC
$381K of HUSD
$137K of DAI
$132K of MKR
$126K of PAX

Grand total of just over $20M.https://t.co/FLkJmv7m2A pic.twitter.com/6oaLgvnZMr

— Haseeb Qureshi (@hosseeb) April 21, 2020

The attacker failed to use a decentralized network, using only a VPN. This made the IP address visible, which was linked to the three exchange interactions. It is also known that the attacker used a Mac, as well as the screen resolution and system language setting. With investigations already underway, it is believed that the attacker returned the funds in the hope of leniency. Managing Partner of Dragonfly Capital, Haseeb Qureshi, has called this the “most dramatic bug bounty” he had ever seen.

This is the most dramatic bug bounty award I've ever seen.

— Haseeb Qureshi (@hosseeb) April 21, 2020

The attack is a blow to dForce, which only a few days earlier received $1.5 million in seed funding led by Multicoin Capital. BeInCrypto requested a comment from dForce, but is yet to receive a response.

$25 Million in 8 Assets Stolen

The attack began on late Saturday and continued into Sunday. The consensus is that the attacker exploited a vulnerability in the ERC-777 protocol, a method similar to the one used in the 2016 Ethereum Decentralized Autonomous Organization (DAO) attack. The attack saw over 99% of dForce’s funds stolen – in assets that include BTC, ETH, USDT, DAI, MKR, and PAX. The attacker focused his efforts on the UniSwap and Lendf.me protocols. The latter’s platform has gone offline, and dForce CEO, Mindao Yang, has asked users to not hold assets on Lendf.me. Following the theft, the attacker moved funds into DeFi platforms Compound and Aave. In a tweet, Compound CEO, Robert Leshner, criticised Lendf.me for redeploying its code and hoped that a lesson would be learned from the hack.

If a project doesn't have the expertise to develop it's own smart contracts, and instead steals and redeploys somebody else's copyrighted code, it's a sign that they don't have the capacity or intention to consider security.

Hope developers & users learn from the @LendfMe hack.

— 🤖 Leshner (@rleshner) April 19, 2020

DeFi Experiencing a Test of Resolve

The Decentralized Finance (DeFi) space has seen tremendous growth in the past year, at its peak holding over $1 billion in locked funds. However, recent transpirings have largely been negative, with several entities in the space having experienced thefts. The bZx protocol saw roughly $1 million stolen in February, with that being an “oracle manipulation attack.” The bZx team’s decision to suspend the network then drew criticism for being centralized. These attacks and the subsequent responses have tempered some of the buoyant optimism that has accompanied DeFi’s growth. Almost halving in value since the start of 2020, the DeFi market is now holding above its 2020 low, sitting at $736 million in locked Ether at the time of publishing. The community itself has called for better security, saying that the forking of an open source protocol – Compound says that dForce stole its code – only highlights the priority of securing code.