Weekend Attack Drains Decentralized Protocol dForce of $25M in Crypto

dForce appears to have lost control of $25 million in bitcoin and ether held in its decentralized lending protocol.

AccessTimeIconApr 19, 2020 at 4:30 a.m. UTC
Updated Sep 14, 2021 at 8:30 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

Decentralized finance protocol dForce lost over 99 percent of its assets in an attack Saturday night, according to DeFi Pulse.

Lending protocol Lendf.me saw some $25 million in ether (ETH) and bitcoin (BTC) exit its wallets late Saturday and early Sunday after its money market pool was attacked. Lendf is one of two protocols supported by the dForce Foundation.

“Lendf.me confirmed it was attacked at 8:45 Beijing time Sunday at block height 9899681,” Lendf.me said to Chinese media outlet Chain News. dForce did not respond to CoinDesk's requests for comment by press time.

Earlier speculation from other DeFi protocol builders say the attack was caused by imBTC, an ethereum token pegged one-to-one with bitcoin, used as collateral that turned out to be fraudulent, enabling the attacker to drain funds for nearly free.

DeFiPulse shows that dForce lost $25 million between 00:00 UTC and 03:00 UTC on April 19.
DeFiPulse shows that dForce lost $25 million between 00:00 UTC and 03:00 UTC on April 19.

It is unclear whether any users were able to withdraw their funds or if the attacker seized all $25 million. Compound CEO Robert Leshner claimed the attacker seized the full total.

Lendf’s website reads “Do not supply anymore!” dForce Foundation CEO Mindao Yang said the team was “still investigating” the incident and urged users to “not supply any asset into lendf.me for now” in the protocol’s open Telegram channel. The website appeared to go down shortly after 04:00 UTC.

After the attack, DeFi Pulse reported Lendf’s accounts holding $18,900 in USD, or about 101 ether or 2.6 bitcoin as of press time. After this article was published, that sum fell to $6.

Leshner said on Twitter the firm “copy/pasted Compound v1 without changes.” 

Leshner told CoinDesk on Telegram the v1 code "was not flawed," but the group was cautious about which assets it listed.

"This is a followup attack to the imBTC Uniswap attack yesterday," he said, noting that imBTC is an ERC-777 token and "not a normal Ethereum asset."

"Smart contracts that include imBTC have to be extra cautious and write additional code to protect against 're-entrancy attacks,'" he said.

A pinned tweet on Lendf’s Twitter page calls it “by far the largest fiat-back stablecoin #DeFi lending protocol.”

The dForce Foundation closed a $1.5 million strategic round led by Multicoin Capital and joined by Huobi Capital and Chinese bank CMB International (CMBI) last week. The funds were intended to grow its staff and launch additional DeFi products in the coming year.

This is a developing situation.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.

Read more about