Almost all of the $25 million stolen from the DeFi protocol dForce over the weekend has been returned by the hacker. According to data from Ethereum blockchain scanner Etherscan, a large number of transactions were sent from an address called “Lendf.Me Hacker 1” to the administrator address for the Lendf.Me project

However, the attacker did not return exactly the same balance he stole from the wallets of dForce, a decentralized finance protocol behind the Lendf.Me project. Instead, the attacker or attackers returned the majority of the stolen funds, around $10 million, in one large transaction of 57,992 ether (ETH). Another $10 million was spread over dozens of other transactions in various stablecoins, including USDT, BUSD, TUSD, DAI, USDC, HUSD, and PAX. 

The remaining $4 million was returned in WBTC, HBTC, and imBTC, which are Ethereum tokens pegged to Bitcoin. 

One of the first transactions sent back to the Lendf.Me address from the hacker was $126,000 worth of PAX stablecoins, which contained the message “Better luck next time.” 

It is still unclear whether or not the hacker plans on returning the rest of the stolen funds, as early reports from dForce suggested the protocol has lost “at least” $25 million worth of user funds. 

It also remains unclear why the hacker decided to exchange the stolen ether (ETH) into various other ERC-20 and ERC-777 tokens and return them that way. Many believe that the fact that most of the funds have been returned shows that theft wasn’t the goal of the attack and that the attack was only used to expose the flaws in the protocol’s security. While others pointed out that the hacker was a good programmer but not a great hacker as he exposed his IP address and some metadata about his computer. His three requests came from a single IP address. 

The dForce hack utilized a well-known vulnerability in the ERC-777 token standard that has plagued various other DeFi protocols. It is suspected that the hackers exploited the fact that smart contracts on the protocol allowed users to continually withdraw the funds before the balance on the protocol got a chance to update. This way, the funds held by the protocol would have been drained before the protocol got the chance to update the balance and show an exploit has been happening. 

The same ERC-777 vulnerability is also believed to be the cause behind the $300,000 theft Uniswap suffered during the weekend. While similar in nature, this attack is not connected to the dForce exploit. 

Nonetheless, the company has been struggling with community backlash. Mindao Yang, the founder of dForce, said in a Medium post that the company has been working “non-stop” to fix the issue, adding that more information about future strategy will be revealed soon.

All of the funds returned by the hackers are currently being moved from the Lendf.Me Admin address to a separate recovery account, Lendf.Me said in a Twitter post. It is from there that the funds will be distributed further and most likely returned to the users who fell victim to the attack.

But, despite the company’s efforts, many criticized dForce for lack of proper safety measures and security audits. Data from DeFi Pulse showed that the total value locked in the dForce protocol has been decimated from the attack, leaving many to wonder whether the company will be able to recover from the massive losses.