Lendf.Me Hack Resolution Part I: Asset Redistribution Plan
On April 19, 2020 (UTC+8), Lendf.Me was attacked and $25 million worth of cryptoassets were drained from the contract. In our CEO Mindao Yang’s last update earlier this week, he reported that nearly all of the stolen funds (approximately $25M) have been successfully recaptured thanks to the efforts of our partners, law enforcement, investors, the community, and our team.
- Auditing asset data through internal data and third-party cross-checking
- Establishing an asset distribution plan and corresponding risk management procedure to ensure the accuracy and security of the redistribution process
- Developing the Asset Recovery System (live now)
- Finalizing a post-asset-redistribution action proposal to our community
In this post, we’d like to update our community members on this asset redistribution plan with a step-by-step instruction for the exposed users to follow. While we are very much eager to inform the community of the action items we will be taking to ensure asset security and system robustness going forward, we do believe that returning the stolen funds to the users is the absolute priority at this moment. In the next 3 days, we will expand on our further actions in the Part II of this Resolution, the post-asset-redistribution action proposal.
The Lendf.Me smart contracts were compromised during the attack. As a result, we indefinitely paused the Lendf.Me contract and built a new Asset Recovery System to return the stolen assets to users.
Following the return of the stolen funds, all assets have been stored in a cold wallet. The funds are secure, and we’re eager to return them.
Given that hacker was only able to exchange a few assets before returning the funds, we have elected to rebalance most of the portfolio back to the last state prior to the contract being attacked and the pausing of the contract. Users will be made whole.
We’d like to thank the team at PeckShield for its help in cross-checking the on-chain data and its security and technical advice on asset recovery. They have been instrumental during this process.
IMPORTANT NOTE: We’ve observed multiple phishing attempts through various non-affiliated sites. Please only use https://www.lendf.me/ for the Lendf.Me asset recovery process, or make transactions directly through imToken, Bitpie, and MYKEY. Please also use the exact same address that interacted with Lendf.Me contract to conduct asset recovery.
You are advised to repay or withdraw from our website. The ONLY address for loan repayment and collateral recovery (we have marked this address at Etherscan as “Lend.Me: Recovery”) is: https://etherscan.io/address/0xc88fcc12f400a0a2cebe87110dcde0dafd29f148
1. Total Supply, Total Borrow and Net Asset
The Lendf.Me’s outstanding supply and borrow balance snapshot was taken as at 12:57PM on April 19, 2020 (UTC+8), at the block height of 9,900,772, when the Lendf.Me contract was paused. All user’s supply and borrowing outstanding are valued using oracle prices at the same snapshot. The balance sheet as of the time the contract paused is as following:
2. Procedures for withdraw assets and loan repayment
For users who only had outstanding supplied assets
For those of you who only supplied but didn’t borrow from Lendf.Me, please log in with the same wallet address you used to interact with the Lendf.Me contract. After logging into the “Asset Recovery System”, please check your balance and confirm the Terms and Conditions, the confirmation will trigger the withdrawal process automatically.
As we are expecting large volume withdrawal requests during this time, we will take care of each withdrawal on first-come-first-serve basis. For those who did not proceed with confirming the Terms and Conditions and withdrawal requests, we will return your assets back to the original address automatically within 1 week.
For users who borrowed loans on the platform
Step 1: Check your supply and borrow status
When you visit https://www.lendf.me/, please read the process instructions. After logging into the “Asset Recovery System”, please connect your original MetaMask wallet to the system, or use your original mobile wallet to connect.
After logging in, please check if your supply and borrowing balance is correct. If you have questions regarding the balance, or if your original address cannot be used for fund repayment and reception (i.e contract address), please reach us through the contact provided at the very end of this section.
Step 2: Repay the outstanding borrowed assets first before retrieving your collaterals
You need to repay all outstanding borrowed balance on your account before proceeding to claiming collaterals. You need to repay the full amount within 7 days. If you have not repaid the full borrowing balance before due time, the collateral will be sold to repay the outstanding loans and the residual value (total supply — total borrow) in stablecoin will be returned to your address.
Step 3: Claiming the collateral assets
After paying back the full amount, your collaterals will be returned within 24 hours to the original address (if no separate request).
3. Mandatory Asset Settlement
All outstanding loans, if unpaid after 7 days (inclusive) or the collateral to loan ratio fall below 125%, whichever early, the supply assets (if there is any left) will be exchanged at market price into stablecoins (which could include USDT, USDC, PAX, TUSD, USDx, and DAI), after netting off the borrowed amount, the net position (total supply amount — total borrow amount) in equivalent market value of stablecoins will be returned at the time of the settlement.
4. Decimal places
All imBTC/WBTC/HBTC are rounded down to 6 decimals, ETH to 4 decimals and stablecoin to 2 decimals.
5. Customer Service & Contact
If the balance shown in the system is at odds with your record or you cannot follow the instructions specified above, please email us at firstname.lastname@example.org. We will assist you.
To contact the dForce community manager, please add “dForcebaobao” on WeChat, or write “jeff@dForce” on Telegram.