dForce hackers forced into U-turn after failing to sell stolen funds

Hackers who siphoned over $25 million from Chinese DeFi platform dForce have started returning the now-blacklisted funds after failing to sell them.

Their change of heart was far from altruistic, however; the hackers found themselves at a loss after several exchanges blacklisted the funds. Unable to unload their stolen capital, the hackers reached out to dForce to strike up a deal.

“The hacker(s) have attempted to contact us and we intend to enter into discussions with them,” dForce founder Mindao Yang noted in a blog post published yesterday.

It seems those negotiations went well, as some of the stolen funds appear to have been returned. According to crypto researcher ‘Frank Topbottom’, the hackers repaid 320 Huobi BTC—an ERC-20 version of Bitcoin—and 381,000 Huobi USD.

Congrats @dForcenet https://t.co/ZrHxUcnPZ8 pic.twitter.com/OO0yQH7B54

— Frank Topbottom (@FrankResearcher) April 19, 2020

While that only amounts to around $2.6 million—around 10% of the funds stolen in the hack—it’s still a somewhat promising start.

How was dForce hacked?

On April 14, hackers exploited a known vulnerability within the ERC-777 token standard—using a “reentrancy attack” to drain $25 million from various DeFi protocols within the dForce network. 

In this unprecedented crisis, I am grateful for the supports from our users, community, partners, our team, and investors. https://t.co/TWRGIw1vcZ

— Mindao Yang (@mindaoyang) April 19, 2020

The same exploit was also used to funnel $300,000 from decentralized exchange Uniswap on Saturday.

But here’s the kicker. The exploit was almost exactly the same as that used in the infamous DAO hack of 2016. On top of this, an audit of Uniswap—undertaken by ConsenSys well over a year ago—already revealed the vulnerability, dubbing it a “major” issue.

Let’s just hope it doesn’t take another hack for the loophole to get patched up this time.