But in a stunning turn of events, the attacker has since returned the stolen funds. Observers believe this was due to poor hacking practice that left his identity exposed.
The dForce attacker has started returning a significant amount of the stolen funds back to the team. Yesterday, he returned $2.79 million. Today, he returned $10.95 million so far. That means the attacker has so far returned $13.74 million or 55% of the total. This is fascinating pic.twitter.com/bRJPnEyLn0
— Larry Cermak (@lawmaster) April 21, 2020
Mostly Ethereum Stolen in dForce Attack
On Saturday night there was an attack of the Lendf.Me open-source market protocol, which is part of the dForce network of DeFi protocols.
dForce currently operates two protocols, the other one being USDx. This is a meta-stablecoin that is pegged against a basket of regulated stablecoins in USDC, PAX, and TUSD.
Like the crop of most DeFi protocols at present, Lendf.Me operates by matching the supply and borrowing of Ethereum-based ERC20 tokens. It allows users to deposit ERC20 stablecoins to earn interest or borrow supported assets using crypto as collateral.
The attack netted $10 million of Ethereum, $4.4 million Bitcoin, with the $10.4 million balance consisting of various stablecoins.
According to blockchain security researchers, PeckShield, the attacker exploited a bug in the lending function that approved the release of funds in collateral exchange for imBTC, a token which pegs Bitcoin and Ethereum.
“the deposit function, i.e., supply() in Lendf.Me is hooked by embedding an additional withdraw() operation, leading to the effect of increasing the internal record of the attacker’s imBTC collateral amount without actually depositing the amount.”
Value locked in dForce in USD following the attack. (Source: defipulse.com)
Not only that, but CEO of fellow DeFi protocol Compound, Robert Leshner took the opportunity to launch a scathing attack on dForce by accusing it of stealing Compound’s code.
If a project doesn’t have the expertise to develop it’s own smart contracts, and instead steals and redeploys somebody else’s copyrighted code, it’s a sign that they don’t have the capacity or intention to consider security.
Hope developers & users learn from the @LendfMe hack.
— Leshner (@rleshner) April 19, 2020
The Unexpected Return of Funds
However, earlier this morning, in an astonishing turnaround, the attacker set about returning all of the stolen funds. This includes the lions share of $10 million Ethereum. But it seems as though the stablecoins were exchanged for other crypto assets before returning.
Now the attacker has returned virtually all funds. He took away $25 million and returned $23.8 million. The disparity is likely only because price went down slightly in the last two days. So there is no doubt in my mind that the attacker got caught and was forced to return it
— Larry Cermak (@lawmaster) April 21, 2020
It’s unclear what motivated this action, but Larry Cermak, Director of Research at The Block, drew attention to critical oversights made by the attacker in laundering the proceeds.
Namely, in moving the stolen Ethereum and other crypto assets, to decentralized exchanges, the hacker simply used a VPN or proxy server, whereas more experienced hackers would facilitate the transfer using a decentralized network, such as Tor.
This blunder leaked metadata, including his IP address and also left a pathway to trace his identity via the subpoena of information from the server operator.
What’s more, Sergej Kunz, CEO of 1inch exchange, which was one of the decentralized exchanges used in laundering the stolen funds, was willing to discuss the issue openly.
Indeed, Kunz’s cooperation in the matter highlights industry-wide cooperation in fighting hackers. Regarding the incident, Kunz remarked:
“He seems to be a good programmer, but an inexperienced hacker.”
On that note, even though the hacker has now returned the stolen crypto assets, the reputation of DeFi remains tarnished.
Featured image from Unsplash.