On Saturday 18th April 2020, the world of decentralized finance (DeFi) was hit with another hacker’s attack, after a DeFi platform Lendf.me, part of dForce network, lost over $25 million in Bitcoin (BTC) and Ethereum (ETH) to a hacker.
How the Attack Was Perpetrated
Has report has it, the hacker used the imBTC token as the Trojan horse of the attack. This token was written according to ERC-777 specification. And it is considered a more advanced but vulnerable version of the common ERC-20 standard.
This hacker quite exploited this vulnerability by combining it with a security loophole in the contracts of Lendf.me and how their user’s balance is updated.
Frank Topbottom, an analyst explained the nature of the attack via his Twitter feed. He averred that the attacker executed several iterations to make the hack simple.
“The second attack using imBTC is more interesting. At the very beginning, attacker drained imBTC from other users on Lendf.me. Further, he repeated iterations to increase the ability to borrow other assets…”
The analyst further explained that the hacker deposited imBTC on the Lendf.me platform in each of the transactions effected. And all these transactions were registered and reflected in his account balance.
Importantly, the contract was unable to update the account balance of the hacker when effecting the withdrawal of funds. This gave him free will to redeposit the BTC, doubling his account balance in every transaction attempt.
Eventually, the attacker was able to drain relatively the entire imBTC available on Lendf.me, equaling the sum of 291 imBTC worth $2 million.
He then furthered the attack. Finally, the hacker used the counterfeit balance as collateral to borrow almost all the tokens left on the platform, summing up to over $25 million in Bitcoin (BTC), Ethereum (ETH) and other forms of cryptocurrencies.
Hacker’s Identity Slightly Leaked
After the devastating incident, an interesting development started to play out, which resulted in on-chain messages.
The hacker made 3 transactions of about $250,000 in PAX tokens to 1inch.exchange and ParaSwap. Observers have generally termed this as a peace gesture, as Pax in Latin means “peace”.
Afterward, Lendf.me sent a message with a threatening tone, “Contact us, for your better future.”
When a spokesperson for 1inch.exchange spoke with Cointelegraph, he said the attacker leaked vital information about his identity by using 1inch.exchange web-based content delivery network directly, instead of using the IPFS-based frontend.
Also, the attacker is identified to be using a Mac. His device’s screen resolution and system language were revealed, which made 1inch conclude that “He seems to be a good programmer, but an inexperienced hacker.”
The handy information about the identity of the hacker has become the object of police investigations. With the look of things, the hacker could be compelled to return the stolen funds to avoid the wrath of the law.