Chinese-based decentralized finance (DeFi) protocol, DForce, has been attacked. As a result, the company has lost $25 million, which is almost all the total value locked in its system.
A lending platform within dForce network, Lendf Me website, has also been down since the attack.
Mindao Yang, Chief Executive of the dForce platform, has released a statement on the dForce telegram channel. According to him, the security team of the company is still investigating the event and has asked users to stop sending assets to Lendf.Me until further notice. The dForce team also revealed that the Lendf.Me was exploited at block height 9,899,681.
“Lendf.me confirmed it was attacked at 8:45 Beijing time Sunday at block height 9899681,” said dForce in a news bulletin.
Further details of the attack have not been received as the company says any additional details could hinder the investigation into the situation. And it is not clear whether some of the users successfully withdrew their assets before the total seizure of the funds.
imBTC blamed for the attack
In January, Lendf.Me merged with imBTC, an ETH based coin pegged to BTC. But earlier today, there was an exploitation of a liquidity pool for imBTC on Uniswap, a decentralized exchange. This led to the loss of tokens valued at about $300,000.
There are speculations that the attack was enabled by the imBTC, which was utilized as collateral but turned out to be fraudulent.
The attackers took advantage of a loophole in the ERC 777 protocol of imBTC. The platform does not apply updates automatically, which allowed the hackers to call the Uniswap smart contract for funds withdrawal before the updates. It appears that the attacker has already withdrawn several times before the balance was updated on the imBTC platform.
Attack on Lendf.Me similar to imBTC
Many Twitter users believe that the attack on imBTC and Lendf.Me are similar. As the transaction records have indicated, the hacker continuously engineered a withdrawal request to withdraw imBTC, which was sent by the hacker in the first place.
— WooParadog (@WooParadog) April 19, 2020
A similar scheme has occurred in the past
This is not the first time hackers have used this type of scheme to steal money. In 2016, about $60 million Ether was stolen using a similar scheme in the famous DAO hack.
Before this hack, Lendf.Me was among the top 10 biggest DeFi markets by value. But the attack will now swing this position far beyond Lendf.Me.
Just a few days ago, dForce raised about $1.5 million from investors from Huobi and Multicoin Capital. China Merchants Bank international, the investment branch of one of China’s largest banks, also participated in the funding.