dForce – a China-based startup aiming to build a DeFi super network – was hacked for nearly $25M late last night. The attack was on the platform’s lending application, LendF.me, and was found to be using the same basis as the attack that drained Uniswap‘s imBTC/ETH pool the day prior.

In short, the exploit leveraged a reentrancy attack via imBTC and its ERC777 token standard. The reentrancy vulnerability allowed the hacker to repeatedly increase his ability to borrow all other assets on the dForce’s lending platform – ultimately leading to the attacker with the ability to exit with all of the assets deposited in the lending application. Here’s a great thread explaining the attack more in depth.

In total, the attack on Lendf.Me resulted in roughly $24.75M in losses. According to the SlowMist Security Team, the asset distribution for losses on the platform is as follows:

  • 55,159 WETH
  • 9.01 WBTC
  • 77,930 CHAI
  • 320.27 HBTC
  • 432,162.90 HUSD
  • 480,787.88 BUSD
  • 587,014.60 PAX
  • 459,794.38 TUSD
  • 698,916.40 USDC
  • 718,0525.08 USDT
  • 510,868.16 USDx
  • 291.34 imBTC

The exploit comes after the team closed a $1.5M strategic round earlier this week led by Multicoin Capital, Huobi Capital, and CMBI – a subsidiary one of China’s largest banks. dForce is aiming to become a DeFi super network, attacking all verticals in open finance while targeting China’s growing demographic.

Prior to the attack, dForce was experiencing steady growth as it topped #7 on DeFi Pulse in terms of total value locked. The DeFi platform accumulated over $25M in value at its peak days before the attack.

The China-based DeFi platform has drawn criticisms from the community given the code similarities with Compound. Lendf.Me is allegedly based on the original Compound V1 smart contracts which had no reentrancy guard in place, making the platform vulnerable to supported assets based on the ERC777 token standard.

After the attack, parts of the stolen crypto assets were converted to ETH and other tokens by the attacker on DEXs like 1inch.exchange, ParaSwap, and Tokenlon. In addition, some community members have noted that some of the funds went to Compound and Aave’s lending platforms.

Earlier today, dForce Founder Mindao Yang released his post-mortem on the attack. He noted the team has contacted industry-leading security companies for audits and assessments on dForce’s lending platform along with exploring avenues for recapitalizing the system with its ecosystem partners. The team also noted they are in contact with the attacker and intend to enter discussions with him.

More details to come.

Key Takeaways

With the bZx exploit in February for $900k and the iEarn attack for ~$280k, the LendF.me hack was one of the biggest to date totaling for nearly $25M.

The attack emphasizes the importance of security audits along with users recognizing platform risks when using DeFi. The yields offered in DeFi are not risk-free and anyone who has capital deposited in lending platforms (centralized or decentralized) should understand the potential risks associated with nascent applications and protocols.

More importantly, DeFi’s composability presents increasing risks. As noted by Synthetix Founder, DeFi applications are only as secure as its weakest money lego.

If there’s a vulnerability in an asset or one application, there are potential implications for all other applications and protocols that use the respective money lego. As a broad example, if there was a vulnerability found in Compound, PoolTogether (which uses Compound’s money markets) may also incur the associated risks.

In the coming days, dForce will have to scramble to get its DeFi supernetwork back online in a secure fashion. It will be interesting to see how the team chooses to recapitalize the system and compensate the users who lost capital from the attack.

If you’re interested in staying up to date on the developments of the exploit, follow dForce’s official Twitter account.

For all things DeFi, subscribe to our newsletter!

Sign up for This Week in DeFi