The hacker who stole $25 million in crypto on April 19 from decentralized finance, or DeFi, protocol, dForce, has since returned the money. Most signs indicate that this was due to the hacker accidentally leaking data which could have led to their identity being discovered. dForce has not issued any clarifying statements, despite mounting criticism of their security practices.
Etherscan data shows that on April 21, the hacker emptied all tokens obtained from the hack into an address identified as “Lendf.me admin.” Lendf.me is the name of the specific platform part of the dForce network.
Mindao Yang, the founder of dForce, confirmed that the funds were returned and that they will be redistributed to their rightful owners.
But while a happy ending for the victims of the attack appears to be in sight, many community members are raising their voice to criticize the project.
A clone of another platform
In the DeFi community, dForce is considered by many to be a clone of another, better known platform called Compound.
Anthony Sassano, co-founder of Ethhub, posted an ironic tweet after the events:
“Now that the hacker has returned the funds to dForce it's time for dForce to return Compound's code.”
Taylor Monahan, CEO of Ethereum wallet company, mycrypto.com, told Cointelegraph a similar story:
“dForce is apparently a pretty basic clone of the older Compound contracts, except that they enabled some tokens that Compound did not.”
Criticism from Brian Kerr, CEO of multi-platform DeFi project, Kava Labs, was even harsher:
“The dForce team copied code they did not understand from Compound, illegally deployed it as their own while changing a few parts without realizing the security issues, and then they heavily marketed it to the world without first running very basic audits.”
As Monahan explained, dForce enabled the ERC-777 token standard which allowed for the “reentrancy attack” to occur. She stressed that it is a feature, not a bug of the standard. “However, if used in certain systems, it becomes bug in that system,” she added.
A well known issue
The reentrancy attack is not new. A similar issue led to the infamous DAO hack in 2016.
In July 2019, this issue was also identified in the Uniswap decentralized exchange. Monahan said that this “feature/bug was exploited two days previous in another system.” This was in reference to Uniswap itself, which actually suffered a $300,000 loss just the day before on April 18. The culprit was the same imBTC token responsible for the dForce hack. It was added by Uniswap community members, despite warnings to the contrary.
The combination of these factors led to a summary judgement from Monahan:
“The ways all of this indicates that dForce is incompetent is that they 1) didn't write their own code but re-used someone else's code in a way prohibit by that code's license and 2) failed to address an issue that came to light once again in very recent days.”
Kerr was more candid:
“I don’t like to say bad things about others usually, hacks can happen to any team, but the dForce incident is particularly bad. The fault is both on the dForce team and the users. Dforce didn’t understand what they were doing and marketed an unsafe product. The users didn’t do their own due diligence on the team or the code base to make sure it’s safe.”
DForce is seeking to rectify these issues. Yang took personal responsibility for failing to foresee the hack, and the company is completely disabling the vulnerable smart contracts.
While the company has yet to provide its own official version of the story, it seems that its users were lucky in their misfortune: the hacker did not know how to cover his tracks.
The event was briefly the largest DeFi hack in its short history. Given its simplicity, it shows that the security practices utilized by the space still need to mature.