Multicoin Capital-backed DeFi protocol dForce loses ~$25M total locked value in an exploit

Update (1:53 PM EST, 4/19/2020): dForce CEO Mindao Yang just confirmed in a blog post that the hacker(s) have reached out to the team and the team intends to "enter into discussions with them." 

The team also said that it has "contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s) addresses and engaged our legal team." 

dForce, a Multicoin Capital-backed Chinese decentralized finance (DeFi) protocol, has been exploited. 

The total value locked in the dForce ecosystem was down by 100% to $6 over the past 24 hours, per DeFi Pulse data. A day ago, the total value locked in the system was $24.9 million. The Lendf.Me website, a lending platform within the dForce ecosystem, is also not accessible at press time.

On the dForce Telegram channel, CEO Mindao Yang said the team is still investigating the issue and advised users not to supply any asset into Lendf.Me now. The team also confirmed the Chinese crypto news site ChainNews that it Lendf.Me was attacked at block height 9,899,681. 

Although details of the exploit were yet to be revealed, it is worth noting that in January, Lendf.Me integrated with imBTC, an Ethereum token pegged to BTC. Earlier today, a liquidity pool for imBTC on decentralized exchange Uniswap was exploited, resulting in a loss of around $300,000 worth of tokens. 

The imBTC attack took advantage of the fact that imBTC uses ERC 777 standard, which allows the hacker to continuously call the Uniswap smart contract to withdraw funds before the external balance could be updated.

On Twitter, some users are speculating that Lendf.Me experienced a similar attack to the imToken one, as transaction records show that the hacker repetitively called Lendf.Me's withdrawal function to take out imBTC that was supplied to the lending protocol by the hacker in the first place. 

This scheme, however, was not new. In 2016, the famous DAO hack used a similar mechanism that led to $60 million Ether being stolen. A ConsenSys audit of Uniswap last year also discussed this vulnerability in depth. 

Launched last Septemeber, Lendf.Me was able to grow into one of the seventh largest DeFi market by value locked on DeFi Pulse before the attack. However, as The Block previously reported, another lending protocol Compound accused Lendf.Me of stealing its code. The Lendf.Me team later added attribution to Compound after The Block reached out. 

On April 15, dForce just announced a $1.5 million funding round led by Multicoin Capital, with participation from Huobi Capital and China Merchants Bank International (CMBI), the investment arm of one of the biggest banks in China.