The DeFi space has faced yet another major blow attributed to arbitrage markets after dForce lost close to $25 million this weekend. According to DeFi pulse, this is well over 99% of the total assets initially owned by the decentralized finance protocol. The loss has since been traced to one of the two protocols supported by the dForce foundation, Lendf.me.
This lending protocol initiative came out to confirm the Saturday night and Sunday morning attack of its money market pool through Chain News,
“Lendf.me confirmed it was attacked at 8:45 Beijing time Sunday at block height 9899681,”
Furthermore, dForce has updated its website asking clients not to contribute any assets towards the protocol as of press date. The foundation’s CEO, Mindao Yang, also noted that they have initiated investigations and are engaging relevant stakeholders from different jurisdictions to recover the funds. Notably, this attack depreciated Lendf.me assets held in both BTC and ETH to a low of $6 in total!
Following the development, some crypto experts have weighed in on the attack with somewhat a consensus towards crypto market arbitrage in the DeFi space. The dForce attack is speculated to have been a product of imBTC, an Ethereum based token pegged to Bitcoin on a 1:1 basis. This digital asset is alleged to have been fraudulent hence facilitating the drain of Lendf.me to almost zero expense by the attacker.
Robert Leshner, the CEO of Compound, has also told Coindesk that dForce might have been compromised for copying their V1 code without any adjustments. According to him, the imBTC is not an ordinary Ethereum asset given its ERC-777 standard. DeFi’s leveraging the Compound v1, therefore, need to be extra cautious with the assets they list to prevent a re-entrance attack.
There is still, however, hope for the 1.5 million funded initiative according to Mindao Yang’s blog post. dForce which had just been funded by prominent players led by Multicoin Capital is set to engage security experts for the assessment of Lendf.me. In addition, they are in the process of developing a solution towards recapitalization together with the company’s partners while collaborating with OTC’s and authorities in pursuit of legal action.
And new details in hack reveal that the hacker didn't quite cover his tracks, leaving metadata. The hacker has reached out to the dForce team to return some of the stolen funds. Crypto researcher @FrankResearcher took note of several exchanges between the hacker and the Lendf.me Admin. He returned nearly $2.6M in HUSD. The LendF.me Admin sent a message to the hacker "Contact us. For your better future."
While the situation is still playing out, we'll continue to update this story. Hopefully, the hacker has a change of heart and returns most of the funds.