DeFi aggregator raided by five hackers on launch day

Four malicious hackers and one white-hat have gone to town on ForceDAO during its launch day.

Fledgling decentralized finance protocol ForceDAO has had a rough start, with several incursions from hackers taking place just hours after it launched.

The Ethereum-based yield aggregator had only just launched its airdrop campaign on April 3 when four malicious “black-hat” hackers managed to drain a total of 183 ETH worth approximately $367,000 at the time. One friendly "white-hat" hacker alsassisted the team by alerting them to prevent further losses.

The team has released a post-mortem of the attacks and taken responsibility for what it termed as an “engineering oversight.”

POST-MORTEM

To the Force and DeFi community, we'd like to share a post-mortem on the recent xFORCE exploit.

Thanks to everyone technical and non-technical who helped along the way.

Especially to the White Hat who helped deter FORCE getting drained.https://t.co/MK2GH69yLd
— Force (@force_dao) April 4, 2021

Following the incursion, the team made a decision to transfer 60 million FORCE tokens from the treasury multi-signature wallet into a deployer wallet to create and execute three votes that would effectively burn the FORCE balances in three of the hackers’ addresses.

The post-mortem explained that the xFORCE platform affected was a fork of a SushiSwap smart-contract containing a mechanism to revert tokens in the event of failed transactions. The protocol describes xFORCE as the “interest-bearing” version of FORCE, representing shares in its pools similar to how LP tokens work.

A flaw in the contract used by ForceDAO enabled the attackers to exploit this mechanism to mint xFORCE tokens which were then withdrawn and exchanged for ETH on the markets. The team acknowledged the attack would have been relatively easy to prevent.

“This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.”

It added that the hack was currently under investigation as some of the addresses originated from the popular exchanges FTX and Binance. A snapshot will be taken and the project will be re-launched with a new xFORCE token, it added.

Following the launch and airdrop, FORCE token prices surged to over $2 on Apr. 4, but have since crashed over 95% to $0.05 at the time of writing.

Another multi-million dollar rug pull has hit the DeFi space. This weekend, ForceDAO is the victim.

Disaster for ForceDAO

ForceDAO has suffered a major attack.

The exploit centers on a bug in the xFORCE contract’s code, which allowed anyone to call the “deposit” function regardless of whether they were holding FORCE tokens. That meant it was possible to mint xFORCE tokens from the contract without locking any tokens in the vault.

Anyone could then exchange these tokens for FORCE by calling the “withdraw” function in the contract.

Several attackers took advantage of the exploit earlier this morning. One of them took about 14.8 million FORCE, which had a notional value of around $34 million at the time. They’ve since returned the funds to the pool.

However, four others drained another 6.75 million tokens and have begun exchanging their takings for ETH on various exchanges. As the white hat attacker had already found the exploit, liquidity plunged, which meant every subsequent attacker earned significantly less for their FORCE.

Mudit Gupta, blockchain team lead at Polymath Network, detailed the attack in a tweetstorm.

xFORCE contract from @force_dao hacked and drained by a whitehacker. In the FORCE token, the transfer functions return false rather than reverting when the sender doesn't have enough balance. The xFORCE contract assumes FORCE will revert and does not handle the returned value. pic.twitter.com/lPo9vJ48bs

— Mudit Gupta (@Mudit__Gupta) April 4, 2021

ForceDAO organized a highly anticipated airdrop yesterday, in which FORCE tokens were distributed to active Ethereum users. It was trading at around $2.30 earlier this morning but has since plummeted. At one point, it was down 95% and is now worth around $0.26.

One of the black hat attackers used an address linked to the centralized exchange FTX, which gives some hope that the funds may be recovered. Most of the rest, though, has already been sold through the decentralized exchanges 1inch and SushiSwap.

ForceDAO took to Twitter to confirm the attack. According to the team, a post-mortem will follow.

ATTENTION

Our team is aware of the xFORCE contract exploit and has identified the nature of the issue.

There are no further funds available on the xFORCE contract to be exploited.

All other vaults are safe.

We will provide a post-mortem and next steps over the coming hours.

— Force (@force_dao) April 4, 2021

This is a developing story and will be updated as further details surface.

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. They also had exposure to SUSHI in a cryptocurrency index.

ForceDAO