It’s easy to forget that the cryptocurrency space remains a highly experimental one.
ForceDAO, a shiny new decentralized finance (DeFi) project, got attacked by five hackers this morning, reviving concerns around the highly experimental sector and the seemingly unending amounts of money flowing into hours-old projects.
Another day, another DeFi hack
The Ethereum-based project fashions itself as a decentralized autonomous organization (DAO) for ‘quant finance.’ It aims to leverage high returns from yield-bearing DeFi protocols and produce superior returns by adhering to community-proposed strategies and rewarding the strategists with powerful incentives.
Last week, the protocol’s developers said they would “airdrop” tokens to users of other DeFi protocols to ensure a fair launch and attract various crypto communities to their own. A total of 25 million FORCE tokens (out of a fixed 100 million supply) were to be distributed over the next month to those staking on Aave, Alchemix, Badger, Balancer, Curve, Maker DAO, Synthetix, Sushi, Vesper, and Yearn Finance.
But this morning, things on the much-awaited airdrop went awry. It got attacked by an estimated five hackers in the hours post the airdrop, causing FORCE prices to plunge more than 90% in a sudden, drastic fall.
The day ForceDAO got hit
Mudit Gupta, blockchain lead at Polymath Network, took to Twitter to explain what happened. As per him, the hackers exploited a known Solidity issue (Solidity is the underlying code of Ethereum), that allowed users to obtain FORCE tokens via an illicit process.
Hackers were able to manipulate the way xFORCE tokens (the “interest-bearing” version of FORCE that represents one’s share in the FORCE profit-sharing pool) are handled on the platform and get FORCE tokens in return, he noted.
“In the FORCE token, the transfer functions return false rather than reverting when the sender doesn’t have enough balance. The xFORCE contract assumes FORCE will revert and does not handle the returned value,” Gupta said.
“This means anyone can call the `deposit` function of the xFORCE contract even if they do not have any FORCE tokens. The xFORCE contract will mint them fresh xFORCE tokens even though it will fail to lock their nonexistent FORCE tokens.”
Gupta stated that over five hackers seemed to have attacked the project after reviewing the various addresses that the alleged hackers conducted their attack from. One was a ‘whitehat’ hacker who promptly returned the funds back to the network, but the others sold their proceeds.
Nearly $350,000 worth of ETH was dumped by the hackers in all. ForceDAO, on its part, issued an advisory that cautioned users to avoid trading on any exchanges until the issue was solved. The team has not issued any other statement as of press time.