DeFi after 25 million USD hack from dForce or LendfMe now finally dead?

WHAT HAPPENED?

8:58 AM. SCT on April 18:
An attacker used a vulnerability in Uniswap and ERC777 to launch an attack.
The partners try to patch it… Lendf.me says everything is ok… Well…

09:28 AM. SCT on April 19:
Tokenlon received a message from Lendf.me about an attack similar to Uniswap that resulted in a large number of abnormal borrowings on the platform.

The capital in dForce dropped by 99.9%!

Comparison of past attacks

This is just one of many attacks in recent months and years:

How did the hacking go? Keyword: Reentrancy Attack

Reentrancy attacks allow hackers to repeatedly withdraw funds in a loop before the original transaction is approved or rejected.

The similarity between Uniswap and Lendf.me is that both platforms use the same 3 protocols:

  1. Lendf.me protocol — a decentralised financial protocol (DeFi) developed by the dForce Foundation to support credit operations on the Ethereum platform.
  2. imBTC — a coin that runs on the Ethereum platform and is covered in a 1:1 ratio with the Bitcoin crypto currency.
  3. ERC-777 — one of the underlying technologies of the Ethereum block chain that is intended to support Smart Contracts (both Lendf.me and imBTC run as such on the Ethereum platform)

The token standard ERC-777 has — according to Tokenlon, the company behind imBTC — no security gaps.

BUT: However, the combination of the use of ERC-777 tokens and Uniswap/Lendf.me made the reentrancy attacks possible.

The bummer: It appears that the hackers used an exploit published on GitHub in July 2019 by OpenZeppelin, a company that performs security checks for cryptocurrency platforms.

Result: 25 million loss

It is currently estimated that Uniswap has lost between $300,000 and $1.1 million in funds, while Lendf.me has lost more than $24.5 million.

Actual problem:

Wrong risk / benefit assessment of Turing-Komplett Smart Contract platforms, where everything is possible — greed often eats brains here:

Solution approaches:

  1. Better risk assessment of users
  2. Better audits
  3. No Turing complete DeFi? Example: https://DeFiChain.io or others

What’s next for LendfMe?

Negotiate with hackers for refunds and commissions:

Confidence-building possible again?

A lot of people lost their money through this hack. The exciting question now will be, how does LendfMe deal with this and how do the members react in the long run?

In the crypto area we have now witnessed some hacks, some were quickly forgotten and trust was quickly rebuilt. Like the hack from Binance, for example. Binance reacted extremely quickly and compensated all those affected, so Binance was able to quickly regain trust. On the other hand, as with Mt. Gox, there was a total loss…

We will find out in the next few days/weeks what exactly happens next.

Your opinion? Should “bad code must die” be implemented?

Cash flow from crypto-currencies secure and verified — but (still) centralized: https://cakedefi.com

Also check https://defichain.io for non-turing-complete DeFi, where such things should not happen in the future.

Your Julian

You can find more such contributions to:
Hackernoon: https://hackernoon.com/u/julianhosp
Blog: https://julianhosp.com/blog/
LinkedIn: https://www.linkedin.com/in/julianhosp/

--

--

--

I build @CakeDeFi and I love @DeFiChain, EU Blockchain Advisor, Angel Investor, Washington Bureau Speaker, 5x Bestselling Author, Ex-Pro-Athlete, Ex-Medical-Doc

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What do you need to know before Polkadot goes online? What do you want to know about Acala?

Unity Staking Contracts Overview

Global Remittance and the most potential markets

Is $BTC Ranging In A Channel?

Presale Questions: Answered.

NFT Rug Pull Results in Federal Charges

Bored Ape' NFT Worth $284,495 Sells For The Wrong Price!!!

Bored Ape’ NFT Worth $284,495 Sells For The Wrong Price!!!

Miners will accept EIP-1559, here is why

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Julian Hosp

Julian Hosp

I build @CakeDeFi and I love @DeFiChain, EU Blockchain Advisor, Angel Investor, Washington Bureau Speaker, 5x Bestselling Author, Ex-Pro-Athlete, Ex-Medical-Doc

More from Medium

Top Crypto Assets 2022

“Going to the moon,” is a phrase that most people know in crypto currency which is also now…

Cryptos crashing: Where is the bottom?

WELLBE COIN: A CRYPTOCURRENCY PLATFORM FOCUSED ON FUSING FITNESS WITH CRYPTOCURRENCY THEREBY…