A relatively new decentralized finance or DeFi project called ForceDAO reportedly suffered an attack by five hackers on the wee hours of Sunday. The exploit of xFORCE’s contract is yet another reminder of how a seemingly massive inflow of money poured into a few hour-old initiatives by FOMOed investors of the sector can have serious consequences.
Another New DeFi Protocol Exploited
In the latest attack, the exploiters reportedly drained and liquidated a total of 183 ETH [ almost $367K] worth of FORCE tokens. Force’s xFORCE contract was hacked and drained by a white hacker. As explained by Polymath Lab’s blockchain team lead, Mudit Gupta, one of the five hackers reportedly returned some amount of stolen funds.
As per the post-mortem analysis published by the portal of the DeFi platform, the hackers were able to deposit FORCE tokens that would fail the “transferFrom call and receive xFORCE tokens”, as the xFORCE contract expects a revert from the token but instead receives false.
Alberto Cevallos noted that the entire episode could have been dodged by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.
Cevallos also went ahead and stated that the platform takes complete responsibility for the “engineering oversight” and has started processes to make sure any such incidents are mitigated in the future. He also added,
“We also want to thank the White Hat hacker who helped deter further FORCE tokens from being drained. We have a bounty for you. All funds on our platform are safe, only xFORCE was affected.”
As part of the processes to alleviate concerns surrounding future exploitation, the DeFi hedge fund will now have a snapshot and also a new token. Cevallos announced that the necessary steps for internal re-structuring have commenced and a pland will be unveiled over the coming days making any affected FORCE holders and LPs whole.
Earlier the DeFi protocol’s developers had announced the airdrop of its FORCE tokens, which had lost 90% of its value after the attack, to users of other protocols. This decision was made to ensure a fair launch and lure in users to their platform. According to reports, a total of 25 million FORCE tokens were to be airdropped over a period of a month to those staking on Aave, Alchemix, Badger, Balancer, Curve, Maker DAO, Synthetix, Sushi, Vesper, and Yearn Finance.