On April 19, Lendf.me, the decentralized lending platform under DForce’s umbrella of DeFi services, was hacked for $25 million. In other words, Lendf.me had over 99% of its total value locked stolen; and as a result, the Lendf.me protocol has been suspended until further notice.
This hack comes just one day after Decentralized Exchange Uniswap was exploited for $300,000, and just weeks after MakerDao’s DeFi lending platform, Compound, was exploited for over $4 million. Both events call the security of Ethereum based DeFi lending platforms into question and are likely to change the way decentralized lending platforms secure themselves and do business in the future.
How did the DForce hack happen?
Through a well-known ERC-777 vulnerability, hackers were able to steal nearly all of the value locked away in the Lendf.me protocol—a total of $25 million. The ERC777 vulnerability allowed the attackers to continually withdraw funds before the service provider could update their balance sheet to reflect the previous withdrawals. The DForce hackers executed this attack until the DForce balance sheet only had $6 remaining.
Source: DeFi Pulse
This same ERC777 vulnerability was used on April 18 to exploit decentralized exchange Uniswap for a total of $300,000. According to many sources, a similar vulnerability was used in the Ethereum DAO hack of 2016, an exploit of the Ethereum network that allowed the attacker to make off with over $50 million worth of digital currency. With so many exploits of the Ethereum network taking place, this calls the security of the Ethereum network into question, as well as the safety and risks associated with using DeFi lending platforms built on Ethereum.
stop trying to revolutionise society and make something useful for once https://t.co/qYlPkbLRNA
— mark ⌘ (@mwilcox) April 19, 2020
Are DeFi services safe?
Given the action we have seen in recent weeks, such as MakerDao being exploited for over $4 million, the DeFi lending platform bZx being exploited for $370k in February, Uniswap being exploited for $300,000 on April 18th, and now, Lendf.me being exploited for $25 million, it’s safe to say that using Ethereum-based DeFi platforms comes with a significant amount of risk that could result in all of your funds that are locked away on these platforms being stolen by hackers.
Ethereum-based DeFi services are still in their early days, and appear to be flawed in many ways. To mitigate risk, it might be best to withhold from participating on these platforms until their bugs have been solved and their issues sorted. However, it’s not surprising that an Ethereum-based platform would run into these issues. Although software developers are attracted to Ethereum, the Ethereum network and code is convoluted and full of faults…faults that have amounted to millions of dollars being stolen by hackers over the years.
Something developers might want to consider is building these sorts of protocols on Bitcoin SV (BSV). Because when building on Bitcoin BSV, you would be able to track the stolen funds and bring the platform operators to court over misappropriating funds—something that’s nearly impossible to do on other blockchains.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.