DForce Attacker Returns All of the $25 Million in Stolen Funds

2 mins
21 April 2020, 08:56 GMT+0000
Updated by Kyle Baird
21 April 2020, 12:29 GMT+0000
In Brief
  • Attacker returns all $25 million in funds that were stolen just a few days ago.
  • A failure to cover tracks led to metadata, including the IP address, being visible.
  • Community calls into question the protocol’s security.
  • promo

The attacker responsible for the $25 million theft from DeFi protocol, dForce, has returned all of the funds. There has been no explanation for the change of heart, but it is suspected that a lack of thoroughness in covering up his tracks led the attacker to return the funds, in order to avoid further investigation.
Chinese DeFi lending platform, dForce, has received all of its roughly $25 million in stolen funds returned. The surprise move is likely because the attacker failed to cover up his or her tracks, with metadata linked to the attacker offering much data about the attacker’s possible identity. The attacker failed to use a decentralized network, using only a VPN. This made the IP address visible, which was linked to the three exchange interactions. It is also known that the attacker used a Mac, as well as the screen resolution and system language setting. With investigations already underway, it is believed that the attacker returned the funds in the hope of leniency. Managing Partner of Dragonfly Capital, Haseeb Qureshi, has called this the “most dramatic bug bounty” he had ever seen. The attack is a blow to dForce, which only a few days earlier received $1.5 million in seed funding led by Multicoin Capital. BeInCrypto requested a comment from dForce, but is yet to receive a response.

$25 Million in 8 Assets Stolen

The attack began on late Saturday and continued into Sunday. The consensus is that the attacker exploited a vulnerability in the ERC-777 protocol, a method similar to the one used in the 2016 Ethereum Decentralized Autonomous Organization (DAO) attack. The attack saw over 99% of dForce’s funds stolen – in assets that include BTC, ETH, USDT, DAI, MKR, and PAX. The attacker focused his efforts on the UniSwap and Lendf.me protocols. The latter’s platform has gone offline, and dForce CEO, Mindao Yang, has asked users to not hold assets on Lendf.me. Following the theft, the attacker moved funds into DeFi platforms Compound and Aave. In a tweet, Compound CEO, Robert Leshner, criticised Lendf.me for redeploying its code and hoped that a lesson would be learned from the hack.

DeFi Experiencing a Test of Resolve

The Decentralized Finance (DeFi) space has seen tremendous growth in the past year, at its peak holding over $1 billion in locked funds. However, recent transpirings have largely been negative, with several entities in the space having experienced thefts. The bZx protocol saw roughly $1 million stolen in February, with that being an “oracle manipulation attack.” The bZx team’s decision to suspend the network then drew criticism for being centralized. These attacks and the subsequent responses have tempered some of the buoyant optimism that has accompanied DeFi’s growth. Almost halving in value since the start of 2020, the DeFi market is now holding above its 2020 low, sitting at $736 million in locked Ether at the time of publishing. The community itself has called for better security, saying that the forking of an open source protocol – Compound says that dForce stole its code – only highlights the priority of securing code.


All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.