DeFi protocol—dForce which brands itself as an integrated platform for decentralized lending protocols, lost nearly 99.9% of the total value locked in the protocol today. The platform recently raised funds and the team was called one most capable ones, earlier this week. 

The ERC777 exploit was used to wipe out the $25 million locked in the DeFi protocol. 

The company is known for copying the codebase of open-source Compound Protocol. 

Leshner—CEO of Compound Finance tweeted:

“If a project doesn’t have the expertise to develop its own smart contracts, and instead steals and redeploys somebody else’s copyrighted code, it’s a sign that they don’t have the capacity or intention to consider security.“

Lendf.me—the lending website of dForce is also down at the press time. Last month Lendf.me tweeted that it is the largest fiat-backed stablecoin lending protocol. 

Hartej, a blockchain security expert and Principal at Zokyo told 8Btc the attack is similar to the DAO hack of 2016. “It’s the nature of the way in which the smart contract is structured.”

Yesterday, imBTC pool on Uniswap was attacked in a similar way using the reentrancy attack and was drained ~$300,000 in ETH. imBTC is a tokenized Bitcoin which can work with smart-contracts like Ethereum. 

Both of the hacks involve usage of ERC777 standard tokens which are often called ERC 20 2.0 i.e. the advanced version of the ERC20 tokens. The hooks in the ERC777 open up the possibility of the reentrancy attacks.

For example, a smart contract exposing the withdraw function which transfers the funds and then updates the balance might become victim to reentrancy attack with hacker making multiple withdraw requests before the transaction finishes. 

Many Twitter users complained imBTC attack could have triggered an alarm and hinted dForce to suspend services for a short time while they could have fixed their code. The vulnerability has been known for a long time.

The hack was confirmed on the official Telegram Group of the hack with the admin Mindao (@mdyang) suggesting users to not deposit more funds. It was confirmed to ChainNews that hack occurred at block height 9989681 and at 8:45 GMT. 

Various users of dForce have lost a significant amount of funds, with some users commenting that they lost $100k+ in the attack. 

On April 15th,  dForce raised $1.5 million in a round led by MultiCoin Capital which was joined by Huobi capital and CMB International. 

Jesse Powell, the founder of Kraken commented that the worst thing about open-source financial products is they offer the world’s largest, guaranteed and instant payouts to bounty hunters .i.e hackers highlighting the long way open-source finance industry has to still go.

DeFi protocols have a long way to go. Recently CoinGecko analyzed various different DeFi protocols in their book “How To Defi” and concluded that no decentralized financial protocols are entirely decentralized.

The Decentralized Finance industry is still in the infancy stage and it’s very important to do your own research before investing significant amounts in new projects. The technical competence of the team and open-source security audits should be part of any decent DeFI project.