dForce Reimburses Affected Users in $25 Million Reentrancy Attack

dForce, the decentralized finance (DeFi) services provider, has reportedly refunded all user funds after completing the recovery process from a previous hack. 

Earlier this week, the firm announced via a tweet that over 90 percent of the $25 million in user funds that it lost in a security breach had been refunded, and users could now check for their cash. 

The Hacker Returned Cash to Stay Safe 

The hack itself happened a little over a week ago, after a hacker allegedly broke through the platform’s security infrastructure and drained 99.5 percent of the funds locked in there in a matter of hours. 

As reports showed at the time, the hacker used a reentrancy attack – a known vulnerability in ERC-77 tokens – to target the imBTC stablecoin. Once completed, they went on to drain the funds and make off with a handsome $25 million payday.

However, the hacker returned the funds about three days later. Signs at the time indicated that the return was due to the hacker leaking information that would have eventually led to their identity being discovered. 

Data from Etherscan showed that the hacker emptied the funds into an address identified as “Lendf.me admin. Ironically, Lendf.me is the name of a particular portion of dForce’s network. Mindao Yang, the founder of dForce, confirmed that they would be returning the funds to their rightful owners. As yesterday’s tweet showed, they’ve begun making good on that promise. 

dForce Feels Harsh Criticism 

While dForce appears to have weathered this storm by a strong of convenient luck, the firm isn’t out of the woodworks yet. Many have questioned the efficiency of dForce’s security infrastructure in the past, and if all of the warning signs didn’t trigger enough of an alarm, this hack has made the challenge undeniable. 

There’s also the fact that several people have accused dForce of copying the code to another more popular DeFi platform – Compound. Anthony Sassano, the co-founder of Ethhub, tweeted that perhaps this would be the right time for dForce to give Compound their code back and call it quits. 

Speaking with industry news source Cointelegraph, Brian Kerr, the chief executive of multi-platform DeFi project, Kava Labs said, 

“The dForce team copied code they did not understand from Compound, illegally deployed it as their own while changing a few parts without realizing the security issues, and then they heavily marketed it to the world without first running very basic audits.”

The reentry attack that dForce suffered, however, isn’t an entirely new occurrence. Back in July 2019, the Uniswap decentralized exchange suffered the same problem. Then, the exchange suffered another attack earlier this month, in which it lost $300,000. 

Interestingly, the culprit was the same imBTC token that made the dForce attack possible as well. Uniswap had added the token to its platform, despite reported protests from its community members. 

Kerr added that in dForce’s situation, however, both the company and its users were at fault. As he pointed out, dForce had copied code and marketed an unsafe product without knowing. The users, however, didn’t do their due diligence before trusting the platform.