How DeFi’s Lendf.me Lost $25 Million in Ethereum, Tether And More: A Breakdown
Update (2:30 p.m. PST time on Thursday): In a surprise move, the hacker has returned all the lost Ethereum and ERC tokens after they purportedly leaked their IP address to an exchange they were using. The Singapore police and other authorities were purportedly involved in this operation. The hacker’s identity has not been made public. dForce is currently working on a protocol to “make users whole,” as the team’s CEO said in a heartfelt note.
Ethereum-based decentralized finance (DeFi) protocol Lendf.me just lost $25 million in a brutal exploit. Here’s what happened, and what comes next for those involved.
The Hack of Ethereum DeFi App Lendf.me
On the evening of Apr. 18, users on Twitter began to notice that Lendf.me was losing funds at a rapid clip, at a rate that would be deemed unsafe by normal standards.
Data indicated that within the span of a few hours, the protocol had lost 57 percent of its locked value. Simultaneously, Lendf.me’s website threw up a banner in both Chinese Mandarin and English saying that users should not deposit funds into the protocol.
But, it was too late. By the time the error had been caught, the protocol was empty; the $25 million worth of Ethereum, Tether’s USDT, and other leading tokens that were deposited were gone, withdrawn primarily to this address. In total, $25 million was lost, with a majority of the value lost held in tokens like Ethereum, USD Coin, USDT, and imBTC, a tokenized Bitcoin.
What happened, according to an analysis by a crypto-centric cybersecurity company, was that an attacker leveraged broken code related to imBTC, a version of tokenized Bitcoin that Lendf.me supported.
The code — related to the “tokensToSend ()” function — allowed the attacker to increase his balance of imBTC on Lendf.me as perceived by the server without him actually depositing the amount he indicated. After exploiting this broken function multiple times in what has been called a “reentrancy attack,” the site registered he had enough collateral to withdraw all of the tokens that were deposited, resulting in the wipeout of funds.
A similar exploit was used to drain an imBTC decentralized exchange market of $300,000 worth of tokens some 12 hours before the Lendf.me hack took place, meaning the writing was on the wall.
The attack came literally four days after dForce announced that it had completed a $1.5 million funding round, which saw participation from crypto fund Multicoin Capital, digital asset exchange Huobi, and an investment branch of China’s fifth-largest bank.
It’s An Ongoing Story
While funds involved in crypto scams and hacks are more often than not unrecoverable, individual users of the protocol and dForce itself are trying to amend the situation.
As you can include messages in Ethereum transactions by converting text into hexadecimal code, many began to reach out to the address of the hacker in the wake of the attack.
Some begged for their money back, with one writing: “That money, the $10,700, was basically all of my cash savings. I don’t know what you’re [sic] situation is but I’m personally hurting. Please do what you think is right.”
Others took the time to joke with the hacker.
And dForce, through an address that managed the Lendf.me contract, attempted to make contact with the attacker, sharing the company email address. The attacker, to the surprise of many, actually responded, indicated by dForce’s follow-up request for the individual to “check their email.”
The details of the ongoing negotiation aren’t public, but some have proposed a legal agreement should be set up where the hacker gets to walk away with full immunity, but only with a portion of the funds. Specifically, 20% of the $20+ million figure is a sum that has been proposed.
The note from dForce confirmed that negotiations have begun. As CEO Mindao Yang wrote:
“We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses, and engaged our legal teams.”
Unfortunately, there doesn’t seem to be much precedent in exchanges or law enforcement agencies catching hackers of exchanges or DeFi platforms. After all, Bitcoin, Ethereum, and other cryptocurrencies can easily be siphoned through “mixers,” then sold via exchanges that don’t require KYC submissions or those that don’t do partake in extensive due diligence.
Update (12:30 p.m. PST time on Sunday): The attacker is in the midst of returning a portion of the funds, since returning 320 Huobi Bitcoin (HBTC) and 381,162 Huobi USD (HUSD) to the dForce team, and has also started to unwind some of the loans he took via other decentralized finance protocols like Compound and Aave. Some have suggested that the hacker is only going to return funds that centralized parties can block, like semi-centralized stablecoins, but not assets like Ethereum and Maker’s DAI.
One of Many Ethereum Hacks
Although this is seemingly the worst hack of a DeFi application ever, it’s the latest in a series of exploits used to drain Ethereum users of their hard-earned assets.
Camila Russo — a Bloomberg journalist turned Ethereum content creator — pointed out that prior to the Lendf debacle, there were exploits in March, in February, and then June of last year. Each attack differed in size, but took place across a swath of protocols and involving a series of different cryptocurrencies, showing that these issues are “not just one project’s problem.” She elaborated:
“It’s not just one project’s problem. DeFi needs better security standards or we’ll continue seeing the downside of that composability double-edged sword.”
The bottom line with all this is that many believe DeFi may not be ready to go mainstream, despite its potential as a use case for Ethereum. As Jon Jordan, Communications Director at DAppRadar, told me in an interview:
“I don’t think anyone thinks the current generation of DeFi is ready to be deployed to the mainstream. In total, there are probably less than 10,000 people using DeFi protocols — just compare that to Binance.”