On April 19, 2020, dForce, a Multicoin Capital-backed Chinese language decentralized finance (DeFi) protocol, was exploited in an attack, and the network came crashing down.
Data from DeFi Pulse suggested that the Total Value Locked in the dForce space dropped from a staggering $25M, all the way to $10.10K, registering a crash of over 100% in the charts.
On-chain data reveals that the attackers have transferred the assets to two other platforms, namely, Compound and Aave.
According to a local Chinese outlet, the dForce team has already “located the problem and advised all users to stop depositing assets in the loan agreement on the web page.”
Meanwhile, Mindao Yang, the founder of dForce, said that the dForce lending platform (Lendf.Me) is currently paused as they continue to investigate the issue. He advised users not to deposit any funds through it.
Could dForce Attack Be Linked to Earlier Hack on Lendf.Me?
After the dForce attack, speculations started swirling that the attack was due to imBTC, which is an Ethereum token pegged 1:1 to Bitcoin that was recently added to the platform. On January 21, 2020, dForce had integrated imBTC with Lendf.Me, the money market of dForce network.
Now, Rober Leshner, Compound’s CEO who had earlier accused dForce of copy/pasting his company’s code, believes that the imBTC collateral asset turned out to be dishonest and gave access to the dForce attackers to draw funds from the platform.
Leshner claimed in a tweet:
The attack could not have come at a more inconvenient time as just four days ago, dForce had announced a $1.5M funding, which was spearheaded by Multicoin Capital and had active participation from Huobi Capital and China Merchants Bank International (CMBI).
Kava Labs CEO Comments on the dForce Attack
Kava Labs, a CDP DeFi platform that is quite similar to MakerDao is a key player in the industry and has its native token, Kava, listed on Binance among the top 200 tokens. When asked to comment on the attack on dForce, Brian Kerr, the CEO at Kava Labs had this to say.
“As for dForce specifically, it is a tragedy for what happened to the users’ funds. Lots of people lost hard-earned money due to basic negligence. I don’t like to say bad things about others usually, hacks can happen to any team, but the dForce incident is particularly bad.”
He proceeded to say that using ETH to build a financial service posed several security problems since it was near impossible to test all possible outcomes and bugs. He, however, said that both dForce and the users were to blame. The DeFi protocol released an unsafe product and the users failed to do their due diligence to ensure the product was safe for them.
Kerr added that Kava ensured that it had the right security measures in place by building their code from the ground up and testing it to high confidence for its accuracy and security. He also claimed that the team at dForce had copied the code from Compound and passed it as their own, without running any security measures. “Outside of stealing Compound’s code, dForce also stole Kava’s USDX token name and ticker-despite us announcing our token name many months before they even had a platform,” he concluded.
Inherent Risk Associated With Decentralized Finance
While decentralized finance (DeFi) is a concept that undoubtedly poses a lot of potential benefits, it’s essential to recognize that it’s still a very risky field.
Just a couple of months ago, almost $1M worth of ETH was compromised following two attacks on another DeFi protocol called bZx.
Last year during the Ethereal Summit held in Tel Aviv, Ethereum Founder Vitalik Buterin discussed DeFi protocols and outlined a lot of their benefits. However, he also warned that people shouldn’t be encouraged to put their money into them because they are yet untested and “have a non-zero chance of failure”.