A Summary of the Attack on Lendf.Me on April 19, 2020

Mindao YANG
Apr 19, 2020 · 2 min read

On 19 April 2020, Lendf.Me, the lending protocol in the dForce network, was attacked and approximately $25 million in assets were drained from the contract.

We learned of the attack at 9:15 am (UTC+8) through our internal monitoring system. Immediately following, we temporarily paused Lendf.Me and USDx and pulled down the website to investigate the attack and assess the situation. The situation is evolving, and we’re learning more every minute, however it appears the hacker(s) have concluded their attack.

We know that the hackers utilized a vulnerability with the combination of using ERC777 tokens and DeFi smart contracts to execute a reentrancy attack. The callback mechanism enabled the hacker to supply and withdraw ERC777 tokens repeatedly before the balance was updated. More analysis on the hack can be viewed from PeckShield’s report.

The hacker(s) have attempted to contact us and we intend to enter into discussions with them.

We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses, and engaged our legal teams.

This attack not only harmed our users, our partners, and my co-founders, but also me personally. My assets were stolen in this attack, too.

This attack was my failure. While I did not execute it, I should have anticipated it and taken actions to prevent it. My heart goes out to everyone harmed, and I will do everything in my power to make this right. I sincerely apologize to our users, to our new investors, and to my team for letting them down.

I will provide a more detailed update here on our blog by 11:59PM (UTC+8) on Monday, April 20, 2020.

In the meantime, here’s what we are doing:

  1. We have contacted top-ranking security companies for a more comprehensive security assessment of Lendf.Me.
  2. We are developing a solution with our partners to recapitalize the system. While we have been knocked down by this attack, I do not intend to let it stop us.
  3. We are collaborating with major exchanges, OTC desks, and law enforcement agencies to investigate the situation, arrest the movement of the stolen funds, and track down the hackers.

Despite being harmed by this attack, I am sustained by an outpouring of support from our community. Over the past couple of hours I have received countless messages, words of encouragement, and offers to help. The dForce community is truly an amazing group of people and I’m grateful for each and every one of you.

Yours truly,

Mindao Yang

dForce

dForce is an integrated and interoperable platform of…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store