A Summary of the Attack on Lendf.Me on April 19, 2020

Mindao YANG
dForce
Published in
2 min readApr 19, 2020

--

On 19 April 2020, Lendf.Me, the lending protocol in the dForce network, was attacked and approximately $25 million in assets were drained from the contract.

We learned of the attack at 9:15 am (UTC+8) through our internal monitoring system. Immediately following, we temporarily paused Lendf.Me and USDx and pulled down the website to investigate the attack and assess the situation. The situation is evolving, and we’re learning more every minute, however it appears the hacker(s) have concluded their attack.

We know that the hackers utilized a vulnerability with the combination of using ERC777 tokens and DeFi smart contracts to execute a reentrancy attack. The callback mechanism enabled the hacker to supply and withdraw ERC777 tokens repeatedly before the balance was updated. More analysis on the hack can be viewed from PeckShield’s report.

The hacker(s) have attempted to contact us and we intend to enter into discussions with them.

We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses, and engaged our legal teams.

This attack not only harmed our users, our partners, and my co-founders, but also me personally. My assets were stolen in this attack, too.

This attack was my failure. While I did not execute it, I should have anticipated it and taken actions to prevent it. My heart goes out to everyone harmed, and I will do everything in my power to make this right. I sincerely apologize to our users, to our new investors, and to my team for letting them down.

I will provide a more detailed update here on our blog by 11:59PM (UTC+8) on Monday, April 20, 2020.

In the meantime, here’s what we are doing:

  1. We have contacted top-ranking security companies for a more comprehensive security assessment of Lendf.Me.
  2. We are developing a solution with our partners to recapitalize the system. While we have been knocked down by this attack, I do not intend to let it stop us.
  3. We are collaborating with major exchanges, OTC desks, and law enforcement agencies to investigate the situation, arrest the movement of the stolen funds, and track down the hackers.

Despite being harmed by this attack, I am sustained by an outpouring of support from our community. Over the past couple of hours I have received countless messages, words of encouragement, and offers to help. The dForce community is truly an amazing group of people and I’m grateful for each and every one of you.

Yours truly,

Mindao Yang

--

--

Mindao YANG
dForce