Lendf.Me Hacked & Refunded - What is happening to DeFi? Should we still trust it?

2020-04-23 07:00:00 · 2665 views · 5 min read

What Happened to Lendf.me?

 

On April 19th, dForce protocol has been exploited in a $24.95 million hack that has resulted in its Lendf.Me lending platform going offline.

 

 

On-chain data on dapp.com shows that the 24hr volume of Lendf.Me suddenly went up to $50M on the same day.


 

How Did the Hack Work?

 

The hacker used the vulnerability of the imBTC token which was written according to ERC-777 specification to attack. 

 

 

imBTC is an ERC-777-based tokenized BTC operated by DEX TokenIon. ERC-777 is compatible with ERC-20 but it has some new features compared to ERC-20.

 

 

imBTC does not have a safety problem itself. imBTC is considered a more advanced but also more vulnerable version of the common ERC-20 standard — especially when used in a DeFi context like Lendf.Me protocol.

 

 

The hacker executed many iterations of a simple attack. In every single transaction, the hacker deposited imBTC on the Lendf.me platform, which was registered on his account’s balance. A second deposit from the same transaction would add a minuscule amount of imBTC, which would allow using a “reentrancy” to withdraw the previously deposited tokens

 

 

Crucially, the contract failed to update the hacker’s balance when withdrawing money. He was thus free to deposit the BTC again, doubling his balance each time. 

 

 

He then continued to perform the same attack, which at this point simply inflated his balance until its value covered the entirety of the funds held by the protocol.

 

 

The on-chain data indicates that the stolen funds have been moved into top DeFi protocols including 1inch.exchange, ParaSwap, Tokenlon, Compound and Aave.

1inch.exchange volume suddenly increased on April 19.

Compound volume peaked on April 19.

Aave Volume reached its highest on April 19.

 

 

According to the audit checking by a Chinese security company, the overall hacked tokens and amounts are:

 

  WETH

  55,159.02134

  WBTC

  9.01152

  CHAI

  77,930.93433

  HBTC

  320.27714

  HUSD

  432,162.90569

  BUSD

  480,787.88767

  PAX

  587,014.60367

  TUSD

  459,794.38763

  USDC

  698,916.40348

  USDT

  7,180,525.08156

  USDx

  510,868.16067

  imBTC

  291.3471


 

 

What Happened Next? - The Hacker Returned the Fund

 

“He seems to be a good programmer, but an inexperienced hacker.” said by 1inch.exchange. The hacker leaked his identity in the whole process through his transactions in 3 exchanges.

 

 

The hacker sent three transactions of PAX tokens summing up to $250,000 to 1inch.exchange, Paraswap, and an account identified as “Lendf.me admin.” 

 

 

Lendf.me replied with an email address to contact and then signaled that it had responded to the hacker’s inquiry. Later he returned Huobi-issued assets to Lendf.me, worth about $2.6 million.

 

 

During his transactions in the 3 exchanges, 1inch.exchange, Paraswap, and Huobi, the hacker leaked important metadata about himself by directly using its web-based content delivery system.

 

 

More interesting is all these three exchange requests came from a single IP address. The hacker is also known to have been using a Mac, revealing his screen’s resolution and system language, which was set to “en-us”.

 

 

Till 21st April, the hacker has returned back all the funds and dForce has submitted a case withdrawal request to Singapore police.

 

 

 

What Is the Future of DeFi? Is It Still Trusted?

 

For every new thing, during its development process, it will certainly meet a lot of obstacles and challenges. If it really has its value, it will finally overcome all these troubles and progress.

 

 

From dapp.com’s point of view, we believe DeFi has its value of solving the centralized trust problem. More importantly, it helps users who are underserved by banks or other traditional financial companies from all over the world to have the opportunity to enjoy financial services by DeFi. This is critically important to users from South America, India and Africa where more people were unbanked. 

 

 

In the future, when everyone is having the opportunity to use various safe and open DeFi services, we should thank the previous DeFi users who lost their money in the previous hacking attacks, as well as the DeFi developers who put 100% of themselves into the DeFi development. Thank Them For Taking The First Step Bravely.

 

 

 

Comments Write Comment
Currently there are no comments for this article. Would you like to be the first to write one?