dForce attacker returns all $25M stolen funds back to the DeFi project

Quick Take

  • The dForce attacker has returned entire $25 million worth of stolen funds back to the DeFi project
  • Sergej Kunz, CEO of 1inch.exchange, told The Block that the exchange aggregator got a request from Singapore police for revealing the attacker’s IP data and helped dForce recover the stolen funds
  • A Singapore police spokesperson declined to provide details, telling The Block that the information is “confidential in nature”  

In a new twist to the dForce attack saga, the exploiter has returned all stolen funds - worth about $25 million - back to the Chinese decentralized finance (DeFi) project.

Yesterday, the attacker returned $2.79 million to dForce, and today the rest of the amount i.e. nearly $22 million, has been returned, according to Etherscan data analyzed by The Block Research.

Sergej Kunz, CEO of 1inch.exchange, told The Block that the attacker has returned all the funds because their IP address was shared with Singapore police.

"We got a request from Singapore police and we were helping dForce. Based on the request, we delivered to the police the IP addresses and sensitive meta information, which the hacker speeded by using our CDN," Kunz told The Block.

"We reacted very fast [when the police sent an email]... we protect the user data, but in such a case it is a must to help police... the idea was to make pressure as much possible to the hacker," Kunz told The Block.

A Singapore police spokesperson declined to provide details, telling The Block that the information is "confidential in nature."  

The returned funds are now worth about $24.3 million, which is slightly less than the value of the stolen funds because the exploiter converted some of them and they lost some value:

Source: Etherscan, The Block Research

After publication of this story, dForce founder and CEO Mindao Yang confirmed retrieving stolen funds. "We have successively recovered the stolen assets with the assistance of all parties. However, because some assets were converted into other tokens during the stolen process, we need more time to conduct asset accounting and formulate the next distribution plan," said Yang on his WeChat account. 

Multicoin Capital-backed dForce was exploited last weekend, during which it lost nearly 100% of its total value locked. The attacker had got access to the following coins and tokens:

Source: Etherscan, The Block Research

Multicoin Capital principal Mable Jiang, who led the dForce investment last week, declined to comment on the attacker returning stolen funds. 

Notably, The Block has learned that ParaSwap declined to help dForce with the attacker's information because they said they being a French company follow GDPR (General Data Protection Regulation) laws. But that is not true, a person familiar with the matter, told The Block.

"They [ParaSwap] don’t have any contact information on the website, which is required and can cause €200k punishment. Also, they collect user email addresses for the notification system if the price change and also IP addresses and don’t have any policy on the webpage," the person told The Block. 

ParaSwap founder and CEO Mounir Benchemled brushed those allegations off, telling The Block: "ParaSwap hasn’t been contacted by any domestic (French) or foreign authority. It is illegal for enterprises to communicate user data to private individuals or private organizations that do not go through legal channels to access these data. ParaSwap has acted according to company values that promote the respect of the security and privacy of our users."

Regarding the lack of contact information on the website, Benchemled said the ParaSwap has an Intercom chat integrated on its website, as well as has other social channels. 

"The notification system is an optional feature, an extra service that we offer to our users, a 'price alert' that they can choose or not, very similar to industry standards. It is not by any means a way to 'collect' their email address. We don't use these for any other communication regarding ParaSwap besides the request for which our users allowed us to (the specific price alert and only that). Therefore, the email address given by users in this context is only a transactional one, as desired by our users, without any other purpose (i.e. marketing)," Benchemled added.

Notably, ParaSwap's privacy policy is dated April 21. Benchemled told The Block: "We made some small modifications yesterday...ParaSwap Pool section wasn't clear enough. There was a typo on page 9 of the policy, and the insurance link wasn't pointing to the right page."

Update: This story has been updated to include comments from 1inch.exchange CEO Sergej Kunz,  ParaSwap founder and CEO Mounir Benchemled, Singapore police, and more information. 

This is a developing story: We'll give updates on the situation as we learn more.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.