2020 hasn’t been a good year for the Decentralized Finance market as there have been multiple attacks on various lending protocols resulting in losses worth millions. Most of these attacks were based on exploiting the bugs and loopholes that exist in the fairly new and upcoming market.

Early February saw lending protocol bZx lose $900,000 in two consecutive attacks. The attacker exploited the system by first taking a loan of 10,000 Ether from lending protocol dYdX and used 5,500 ETH from there to use as collateral against a 112 wrapped Bitcoin (WBTC) loan (over $1 million) on DeFi protocol Compound.

On April 18, a liquidity pool for imBTC on decentralized exchange Uniswap was exploited and the hacker got away with $300,000 worth of tokens. As reported by The Daily Chain, a developer familiar to the matter mentioned that the exploit used in this case was noted in an audit 16 months ago but was not addressed.

Two birds one stone

Now, recent reports state that dForce, a Multicoin Capital-backed Chinese decentralized finance (DeFi) protocol, has been exploited. The total value locked within dForce went down by 10% to $6 over the past day. Hackers seem to have gotten away with almost $25 million.

Lendf.Me was the lending platform that was attacked within dForce and reports suggest that this has a connection with the attack on the Uniswap pool, since Lendf.Me had integrated with imBTC back in January.

According to the dForce CEO Minado Yang, Lendf.Me was attacked at block height 9,899,681 and that the team is investigating the matter. In a blog post confirming the hack, Yang wrote:

“We know that the hackers utilized a vulnerability with the combination of using ERC777 tokens and DeFi smart contracts to execute a reentrancy attack. The callback mechanism enabled the hacker to supply and withdraw ERC777 tokens repeatedly before the balance was updated.”

What’s interesting is the fact that imBTC attack also used a similar mechanism to drain the funds. imBTC is also based on the ERC777 standard, and the hacker constantly called the Uniswap smart contract to withdraw funds before the external balance could be updated.

Transaction records show the hacker constantly using Lendf.Me’s callback mechanism to take out imBTC that was supplied to the lending protocol by the hacker in the first place.

Yang has further stated that the hackers “have attempted to contact us and we intend to enter into discussions with them.”

The blog further added:

“We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses and engaged our legal teams.”

This is not new in this space as previously the MakerDao hack back in 2016 saw the attacker use a similar method to get away with $60 million Ether.

This goes to show that developers need to pay more attention to these minute loopholes and bugs that result in heavy damages. The DeFi space has been acting a key area within the crypto space, and if risks like these persist, it would be very difficult for the DeFi market to hit mainstream adoption.