Weekend Attack Drains Decentralized Protocol dForce of $25M in Crypto
dForce appears to have lost control of $25 million in bitcoin and ether held in its decentralized lending protocol.
Apr 19, 2020 at 4:30 a.m. UTC:format(webp)/cloudfront-us-east-1.images.arcpublishing.com/coindesk/GD5SM6WYZNGTTIIKW7JAHZWEX4.jpg)
dForce's Lendf holdings appear to be completely drained. (Credit: Shutterstock)
/arc-photo-coindesk/arc2-prod/public/LXF2COBSKBCNHNRE3WTK2BZ7GE.png)
Decentralized finance protocol dForce lost over 99 percent of its assets in an attack Saturday night, according to DeFi Pulse.
Lending protocol Lendf.me saw some $25 million in ether (ETH) and bitcoin (BTC) exit its wallets late Saturday and early Sunday after its money market pool was attacked. Lendf is one of two protocols supported by the dForce Foundation.
“Lendf.me confirmed it was attacked at 8:45 Beijing time Sunday at block height 9899681,” Lendf.me said to Chinese media outlet Chain News. dForce did not respond to CoinDesk's requests for comment by press time.
:format(webp)/cloudfront-us-east-1.images.arcpublishing.com/coindesk/SWX35E3CKJGC7G6XWCFKFRVBXI.png)
It is unclear whether any users were able to withdraw their funds or if the attacker seized all $25 million. Compound CEO Robert Leshner claimed the attacker seized the full total.
Lendf’s website reads “Do not supply anymore!” dForce Foundation CEO Mindao Yang said the team was “still investigating” the incident and urged users to “not supply any asset into lendf.me for now” in the protocol’s open Telegram channel. The website appeared to go down shortly after 04:00 UTC.
After the attack, DeFi Pulse reported Lendf’s accounts holding $18,900 in USD, or about 101 ether or 2.6 bitcoin as of press time. After this article was published, that sum fell to $6.
Leshner said on Twitter the firm “copy/pasted Compound v1 without changes.”
Leshner told CoinDesk on Telegram the v1 code "was not flawed," but the group was cautious about which assets it listed.
"This is a followup attack to the imBTC Uniswap attack yesterday," he said, noting that imBTC is an ERC-777 token and "not a normal Ethereum asset."
"Smart contracts that include imBTC have to be extra cautious and write additional code to protect against 're-entrancy attacks,'" he said.
A pinned tweet on Lendf’s Twitter page calls it “by far the largest fiat-back stablecoin #DeFi lending protocol.”
The dForce Foundation closed a $1.5 million strategic round led by Multicoin Capital and joined by Huobi Capital and Chinese bank CMB International (CMBI) last week. The funds were intended to grow its staff and launch additional DeFi products in the coming year.
This is a developing situation.
Disclosure
Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.
:format(webp)/downloads.coindesk.com/arc/failsafe/user/1x1.png)
Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.