dForce
Published in

dForce

A Summary of the Attack on Lendf.Me on April 19, 2020

On 19 April 2020, Lendf.Me, the lending protocol in the dForce network, was attacked and approximately $25 million in assets were drained from the contract.

We learned of the attack at 9:15 am (UTC+8) through our internal monitoring system. Immediately following, we temporarily paused Lendf.Me and USDx and pulled down the website to investigate the attack and assess the situation. The situation is evolving, and we’re learning more every minute, however it appears the hacker(s) have concluded their attack.

We know that the hackers utilized a vulnerability with the combination of using ERC777 tokens and DeFi smart contracts to execute a reentrancy attack. The callback mechanism enabled the hacker to supply and withdraw ERC777 tokens repeatedly before the balance was updated. More analysis on the hack can be viewed from PeckShield’s report.

The hacker(s) have attempted to contact us and we intend to enter into discussions with them.

We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses, and engaged our legal teams.

This attack not only harmed our users, our partners, and my co-founders, but also me personally. My assets were stolen in this attack, too.

This attack was my failure. While I did not execute it, I should have anticipated it and taken actions to prevent it. My heart goes out to everyone harmed, and I will do everything in my power to make this right. I sincerely apologize to our users, to our new investors, and to my team for letting them down.

I will provide a more detailed update here on our blog by 11:59PM (UTC+8) on Monday, April 20, 2020.

In the meantime, here’s what we are doing:

  1. We have contacted top-ranking security companies for a more comprehensive security assessment of Lendf.Me.
  2. We are developing a solution with our partners to recapitalize the system. While we have been knocked down by this attack, I do not intend to let it stop us.
  3. We are collaborating with major exchanges, OTC desks, and law enforcement agencies to investigate the situation, arrest the movement of the stolen funds, and track down the hackers.

Despite being harmed by this attack, I am sustained by an outpouring of support from our community. Over the past couple of hours I have received countless messages, words of encouragement, and offers to help. The dForce community is truly an amazing group of people and I’m grateful for each and every one of you.

Yours truly,

Mindao Yang

--

--

--

dForce is an integrated and interoperable platform of opening finance protocols, covering lending, assets and trading.

Recommended from Medium

ONI-BUSD: Trading Pair & Farm Launch

COVID-19 has changed how we work, play and learn.

Photo via @thedotter & De An Sun / Unsplash

Dav [No Spoilers]

MILLION TOKEN AIRDROP

{UPDATE} JustWords. Hack Free Resources Generator

Icon Go’s weekly newsletter.

#BuiltOnEOSIO: FireWall.X Mitigates the Risk of Attacks for Apps

Securing your future

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mindao YANG

Mindao YANG

Founder@dForce

More from Medium

dForce Ecosystem Update — February 2022

Frax Finance Weekly Report #11 | January 2022.

UNION Finance and Balancer DAO Advance Efforts

Saber Launches USDH Stablecoin with USDH-USDC/USDH-CASH Pools!