It’s been a crazy past 24 hours for users of decentralized finance, also known as “DeFi.”
Over this time, devious Ethereum users managed to steal over $25 million worth of cryptocurrency from two separate protocols. The second hack, which accounts for the $25 million, is what this article will be focusing on.
As it stands, no one knows who the hacker is or what their intent is — the address that perpetrated the “crime” was created just hours before the hack took place, and no one has been able to tie the address to a person’s identity through exchange data just yet.
But, this hasn’t stopped people from reaching out, attempting to make negotiations with the hacker, or, better put, they’re trying to make a deal with the devil.
Operator of hacked Ethereum protocol contacts hacker
On the evening of Apr. 18, users on Twitter began to notice that Lendf.me, the decentralized lending protocol operated by Chinese DeFi upstart dForce, was losing funds at a rapid clip, much higher than what normally would be deemed safe.fan
Data indicated that within the span of a few hours, the protocol had lost 57 percent of its locked value. Simultaneously, Lendf.me’s website threw up a banner in both Chinese Mandarin and English saying that users should not deposit funds into the protocol.
But, it was too late. By the time the error had been caught, the protocol was empty; the $25 million worth of Ethereum, Tether’s USDT, and other leading tokens were gone, withdrawn primarily to this address.
As you can include messages in Ethereum transactions, many began to reach out to the address of the hacker.
The details of the ongoing negotiation aren’t public, but some have proposed a legal agreement should be set up where the hacker gets to walk away with legal immunity, but only with a portion of the funds.
CryptoSlate will update readers as the story develops.
What happened exactly?
Since the attack, the website of Lendf.me has gone offline and the Twitter account of the startup has fallen silent, but the company just minutes ago as of the time of this article’s writing has issued a statement.
Dated Apr. 19 and penned by the CEO, Mindao Yang, the note published to Medium explained that the vector of attack the hacker utilized is related to imBTC, a tokenized version of Bitcoin on the Ethereum blockchain. The issue: an exploit in the ERC-777 standard that imBTC was based on, which allowed the hacker to basically credit his account with more capital than he actually held.
The note also confirmed that negotiations have begun, or at least messages have been exchanged, between dForce and the attacker. Mindao also claimed his team is in contact with exchanges and law enforcement agencies.
This attack came hours after another address (could have been the same individual) used a similar vector to drain a Uniswap pool (market) out of $300,000 in imBTC and Ethereum, estimates suggest.
The details of these attacks are complicated, but more information can be found by this unofficial post-mortem by crypto-centric cybersecurity firm SlowMist.
Not ready to go mainstream
Over the past few months, DeFi has been branded as a killer use case of Ethereum and other smart contract blockchains.
The idea goes that with billions underbanked or not banked at all and with interest rates near 0 percent, a blockchain-based ecosystem of finance, where theoretically anyone can gain access to services a “real” bank would offer, should gain mass adoption.
But, with this hack taking place that wiped hundreds or even thousands of users out of $25 million, many are suggesting DeFi isn’t ready to go mainstream.
Not to mention, this hack is the latest in a series of exploits and shortcomings in the budding DeFi ecosystem.
June 2019: Synthetix 37m sETH
Feb. 2020: bZx $900k
Mar 2020: iEarn ~$280k
April 2020: LendfMe $25m
It’s not just one project’s problem. DeFi needs better security standards or we’ll continue seeing the downside of that composability double-edged sword.
— Camila Russo (@CamiRusso) April 19, 2020