- ForceDAO was drained of millions of dollars this morning after a white hat hacker discovered a bug in the smart contract’s code.
- The white hat hacker successfully took 14.8 million FORCE tokens. Though they returned the funds, other attackers noticed the exploit and have sold their tokens for ETH.
- FORCE briefly tanked 95% following the attack. It’s still deep in the red following the incident.
Share this article
Another multi-million dollar rug pull has hit the DeFi space. This weekend, ForceDAO is the victim.
Disaster for ForceDAO
ForceDAO has suffered a major attack.
The exploit centers on a bug in the xFORCE contract’s code, which allowed anyone to call the “deposit” function regardless of whether they were holding FORCE tokens. That meant it was possible to mint xFORCE tokens from the contract without locking any tokens in the vault.
Anyone could then exchange these tokens for FORCE by calling the “withdraw” function in the contract.
Several attackers took advantage of the exploit earlier this morning. One of them took about 14.8 million FORCE, which had a notional value of around $34 million at the time. They’ve since returned the funds to the pool.
However, four others drained another 6.75 million tokens and have begun exchanging their takings for ETH on various exchanges. As the white hat attacker had already found the exploit, liquidity plunged, which meant every subsequent attacker earned significantly less for their FORCE.
Mudit Gupta, blockchain team lead at Polymath Network, detailed the attack in a tweetstorm.
xFORCE contract from @force_dao hacked and drained by a whitehacker. In the FORCE token, the transfer functions return false rather than reverting when the sender doesn’t have enough balance. The xFORCE contract assumes FORCE will revert and does not handle the returned value. pic.twitter.com/lPo9vJ48bs
— Mudit Gupta (@Mudit__Gupta) April 4, 2021
ForceDAO organized a highly anticipated…