China’s DForce loses $25 million in a hack due to a vulnerability in Ethereum token

Earlier last week, DForce had announced that it secured $1.5 million in a seed round led by crypto VC fund Multicoin Capital. But the Chinese decentralized finance protocol suffered a major hack today, in which hackers got away with $25 million worth of its customers’ cryptocurrency. The money was stolen from the contracts of Lendf.Me, a lending protocol that’s part of dForce, a collection of DeFi protocols. Lendf.Me is now offline, and its smart contracts have been stopped.

The hackers returned $126,014 back to Lendf.Me.

According to a local news report, the hackers returned $126,014 back to Lendf.Me with a note saying, “Better luck next time.” The hack is linked to a vulnerability in Ethereum token that was yesterday used to steal more than $300,000 from decentralized exchange Uniswap. Uniswap smart contracts containing imBTC, which is an Ethereum-based, tokenized version of Bitcoin that’s run by TokenIon, were drained. Lendf.Me had integrated imBTC in January this year. The Uniswap attack took advantage of a known vulnerability in the ERC777 token standard.

Hackers could continually withdraw ERC777 funds from Uniswap before the balance updated.

Uniswap smart contracts are designed in such a way that a hacker could continually withdraw ERC777 funds from Uniswap before the balance updated. Hackers managed to drain the contracts of imBTC gradually. The dForce hack is also suspected of using the same exploit and vulnerability in Ethereum toke ERC777. Tokenlon and Lendf.Me temporarily halted their smart contracts after the attacks. Tokenlon wrote in a Medium post that imBTC transfers would be resumed after Tokenlon and partners are confident that it is secure to do so. DeFi Rate noted that the exploit is quite similar to the 2016 attack on The DAO. As of now, DdForce still has not discussed the exploit on their social media platforms.

Tokenlon informed users that the BTC escrow that backs imBTC 1:1 is not affected by the hack. Users holding imBTC will be able to redeem, trade, transfer, and use other functions after the suspension is lifted, it added.