TL;DR: Mindao Yang, CEO of China-based decentralized finance (DeFi) company dForce, released a public statement about the hack of some $25 million via lending protocol Leadf.Me on its platform, April 19, 2020. Yang revealed, “The hacker(s) have attempted to contact us and we intend to enter into discussions with them.” As of publication, it does appear hackers have indeed returned some victims’ funds.



dForce CEO Reveals Negotiating With Hackers After $25 Million Attack

“On 19 April 2020, Lendf.Me, the lending protocol in the dForce network, was attacked and approximately $25 million in assets were drained from the contract,” Yang acknowledged. “The situation is evolving, and we’re learning more every minute, however it appears the hacker(s) have concluded their attack.”

Yes I know that this meme is getting a bit stale and I know this also makes me a gigantic piece of shit but it just had to be done. I'm sorry pic.twitter.com/7RTO6GpYKj — Larry Cermak (@lawmaster) April 19, 2020

It’s the first official communication to the dForce community other than a precious few Telegram channel comments in response to early user concern and worry. Indeed, it appears to be what social media analysts previously detailed. “We know that the hackers utilized a vulnerability within the ERC777 standard of imBTC to execute a reentrancy attack. The callback mechanism of ERC777 (imBTC) enabled the hacker to supply and withdraw imBTC repeatedly before the balance was updated,” and pointed those interested in the technical aspects to consult China-based blockchain security company, PeckShield.

PeckShield characterized the Lendf.Me hack as “a huge blow to current DeFi community,” implying perhaps mechanisms endemic to the ERC777 smart contract token means “we might need to revisit the decision why we need ERC777 if ERC20 is sufficient.” Meanwhile, Yang of dForce stressed, “We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses, and engaged our legal teams.”

Courting Further Disaster?

The wisdom of negotiating with hackers might appear to be courting further disaster. But there is a long history within the cryptocurrency community of doing just that, both as a way to recover stolen user funds and to mitigate against such attacks going forward — often, as part of a negotiation, hackers are incentivized to reveal exactly how a vector was exploited.

1) The second attack using imBTC is more interesting. At the very beginning, attacker drained imBTC from other users on https://t.co/pJgDLnFcmq. Further, he repeated iterations to increase the ability to borrow other assets.

The attacker in each iteration (tx) did the following: — Frank Topbottom (@FrankResearcher) April 19, 2020

Perhaps refreshingly, Yang was contrite and took responsibility. “This attack was my failure. While I did not execute it, I should have anticipated it and taken actions to prevent it. My heart goes out to everyone harmed, and I will do everything in my power to make this right. I sincerely apologize to our users, to our new investors, and to my team for letting them down.”

At the time of publication, analyst Frank Topbottom revealed some of the hacked funds were being returned to victims. “Part of stolen funds went to @compoundfinance and @AaveAave,” he noted, “another part was sold for MKR, BAT, KNC, LINK. Some kind of overly devoted DeFi fan??” Delving further, he noticed, “WOW. The hacker sent PAX to the address that sent the message to the hacker,” and linked to a block explorer for proof.

CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.

DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.

DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.