Decentralized finance (DeFi) protocol dForce made the headlines last week for securing a $1.5 million funding round with participants such as Huobi Capital and CMB International, led by crypto venture fund Multicoin Capital. Less than a week after dForce announced that it would use the new investment funds to expand its team and focus on developing its product offerings, news broke out on early Sunday, revealing that $25 million worth of Bitcoin (BTC) and Ethereum (ETH) were stolen from dForce’s lending protocol Lendf.Me as hackers exploited a security weakness in an ERC777 token imBTC integrated on the system.
dForce confirmed the hacking incident with Chinese news media Chain News; at a block height of 9989681, malicious actors attacked the protocol at 8.45 am in the morning and drained almost all of dForce’s funds, with Lendf.Me’s hedging assets falling by 57%. imBTC was made available on Lendf.Me in January, and the token was also involved in another attack on Uniswap, another crypto exchange, where $300,000 worth of crypto were stolen yesterday.
The ERC777 token imBTC is an Ethereum token pegged 1:1 with BTC created by TokenIon and is an unconventional Ethereum asset with a security flaw which allows “re-entry attacks”, according to Coindesk. The stolen funds were sent to other protocols, namely Compound and Aave.
dForce Foundation, the entity behind the protocol, is currently still investigating the attack with the help of TokenIon. Smart contracts on both TokenIon and Lendf.Me have been halted temporarily, and Lendf.Me’s site has since been taken down. The firm has been largely silent and users have so far been left in the dark regarding updates on the investigation.
You may also want to read: Etherscan Launches ETHProtect to Track High-Risk & Illicit Activity