Decentralized exchanges (DEX) operating on the Ethereum blockchain have a security issue. MakerDAO’s Compound, a decentralized finance (DeFi) lending platform was hacked a couple of weeks ago, followed by an attack on the Uniswap DEX. Almost immediately after the latest attack, the DeFi lending platform offered by dForce, Lendf.me, was hacked, as well, resulting in the loss of $25 million in user funds. Fortunately for those individuals, a swift response helped recover most of the money, which will now be returned to the users. In an update to the ongoing debacle from a couple of days ago, Lendf.me explained that the recovered funds had been moved to a separate recovery account and had been working to complete an audit and reimbursement strategy to quell users’ anger. dForce added in a Twitter post, “Over 90% of assets have been distributed to users in less than 24 hours. 100% users have been made whole in the recovery. We will disclose more future actions shortly. Stay tuned.” https://twitter.com/dForcenet/status/1254738662039752704 Reimbursements will be automatic, for certain users, provided they complete a confirmation process on the newly-established “Asset Recovery System (ARS).” Those individuals who had supplied funds to be used for loans, but who didn’t take out loans, can log in with their wallet address, confirm the information held by the platform and, upon agreeing to the Terms & Conditions, receive their funds automatically on a first-come, first-served basis. For those who had taken out loans, the process is a little more complicated. These individuals need to first log into the ARS and check that the information listed is correct. After that, they will have to “repay all outstanding borrowed balance” on the account before starting any claims process. Lendf.me adds, “You need to repay the full amount within 7 days. If you have not repaid the full borrowing balance before due time, the collateral will be sold to repay the outstanding loans and the residual value (total supply — total borrow) in stablecoin will be returned to your address.” If there’s any money that isn’t claimed, or if the “collateral to loan ratio fall below 125%,” depending on which comes first, that money will be swapped for one or more stablecoins. However, Lendf.me doesn’t specify what will then happen with those funds. Seeing one hack is bad enough; seeing three in the span of just a couple of weeks is a definite indication of serious security flaws in the coding. The attacks exploit a flaw in the ERC-777 token standard that was first identified almost two years ago but which has still not been rectified. Given the fact that it is apparently easy to take advantage of the known vulnerability, and the fact that ERC-777 is being used in conjunction with money services, Ethereum developers should take the issue more seriously, but they appear not to be too concerned with making things right.