DeFi Chaos: dForce Loses 99% Of Its Assets In $25 Million Hack, Uniswap Simultaneously Hacked For $300,000

April 20, 2020 / by Crypto.IQ

Decentralized finance (DeFi) platform dForce has lost $25 million in a hack, which is 99% of its assets. This happened only a day after Uniswap lost $300,000 in a hack as well. It appears both hacks are linked to the imBTC token, which is a wrapped version of Bitcoin (BTC) created by imToken that is apparently not secure.

Specifically, imBTC is an ERC-777 token, and it can be exploited via reentrancy attacks since ERC-777 executes contracts when it receives tokens, unlike ERC-20 which only executes contracts if it receives Ethereum (ETH).

To make a complicated story short, the hacker was able to call the smart contract and withdraw the funds before the external balance could be updated, leading to a cycle where all the tokens could be purchased for pennies.

Shockingly, this ERC-777 exploit was known about 16 months ago. Even worse, the Uniswap imBTC hack happened a day before dForce was hacked and if dForce was paying attention they would have had time to prevent the $25 million hack. 

Ultimately, it appears this is a relatively isolated incident in the DeFi world, since it was due to a single token, imBTC, lacking security. However, it goes to show that even one unsecure piece of a DeFi platform can lead to all of the funds being drained, and this is a lesson that DeFi platforms and crypto exchanges need to be very careful about which tokens they offer.

Don’t Miss out on top crypto trade secrets

join crypto iq
Essentials Package
only $9/month

Retail $97/month