Ethereum DeFi project ‘ForceDAO’ gets hacked hours after launch

ForceDAO, a shiny new decentralized finance (DeFi) project, got attacked by five hackers this morning, reviving concerns around the highly experimental sector and the seemingly unending amounts of money flowing into hours-old projects.

ATTENTION

Our team is aware of the xFORCE contract exploit and has identified the nature of the issue.

There are no further funds available on the xFORCE contract to be exploited.

All other vaults are safe.

We will provide a post-mortem and next steps over the coming hours.

— Force (@force_dao) April 4, 2021

Another day, another DeFi hack

The Ethereum-based project fashions itself as a decentralized autonomous organization (DAO) for ‘quant finance.’ It aims to leverage high returns from yield-bearing DeFi protocols and produce superior returns by adhering to community-proposed strategies and rewarding the strategists with powerful incentives.

This seems to be the exploiter for $XFORCEhttps://t.co/WS649tJ1Fe

> Minted $XFORCE
> Withdrew $FORCE using minted $XFORCE
> Sold $FORCE through 1inch

Don’t seem to really care about opsec seeing how the initial funds are seeded from FTX

🤷‍♂️

— defiOWL (@OwOtrades) April 4, 2021

Last week, the protocol’s developers said they would “airdrop” tokens to users of other DeFi protocols to ensure a fair launch and attract various crypto communities to their own. A total of 25 million FORCE tokens (out of a fixed 100 million supply) were to be distributed over the next month to those staking on Aave, Alchemix, Badger, Balancer, Curve, Maker DAO, Synthetix, Sushi, Vesper, and Yearn Finance.

But this morning, things on the much-awaited airdrop went awry. It got attacked by an estimated five hackers in the hours post the airdrop, causing FORCE prices to plunge more than 90% in a sudden, drastic fall.

Interesting situation going on with ForceDAO. Liquidity has been withdrawn, price is down 90%+ and there are indications that it could have been a white hat “hack” pic.twitter.com/Y5aUcvvuG0

— Larry Cermak (@lawmaster) April 4, 2021

The day ForceDAO got hit

Mudit Gupta, blockchain lead at Polymath Network, took to Twitter to explain what happened. As per him, the hackers exploited a known Solidity issue (Solidity is the underlying code of Ethereum), that allowed users to obtain FORCE tokens via an illicit process.

Hackers were able to manipulate the way xFORCE tokens (the “interest-bearing” version of FORCE that represents one’s share in the FORCE profit-sharing pool) are handled on the platform and get FORCE tokens in return, he noted.

xFORCE contract from @force_dao hacked and drained by a whitehacker. In the FORCE token, the transfer functions return false rather than reverting when the sender doesn’t have enough balance. The xFORCE contract assumes FORCE will revert and does not handle the returned value. pic.twitter.com/lPo9vJ48bs

— Mudit Gupta (@Mudit__Gupta) April 4, 2021

“In the FORCE token, the transfer functions return false rather than reverting when the sender doesn’t have enough balance. The xFORCE contract assumes FORCE will revert and does not handle the returned value,” Gupta said.

He added:

“This means anyone can call the `deposit` function of the xFORCE contract even if they do not have any FORCE tokens. The xFORCE contract will mint them fresh xFORCE tokens even though it will fail to lock their nonexistent FORCE tokens.”

Gupta stated that over five hackers seemed to have attacked the project after reviewing the various addresses that the alleged hackers conducted their attack from. One was a ‘whitehat’ hacker who promptly returned the funds back to the network, but the others sold their proceeds.

Hacker 4 – Drained about 300k FORCE tokens, sold most of them on DEXs for ~50 ETH ($100k).https://t.co/YME1GUGpib

Hacker 5 – Drained about 1.1m FORCE tokens, sold some for ~45 ETH ($95k).https://t.co/1upadhvjOU@etherscan Can you please tag these accounts as hackers as well?

— Mudit Gupta (@Mudit__Gupta) April 4, 2021

Nearly $350,000 worth of ETH was dumped by the hackers in all. ForceDAO, on its part, issued an advisory that cautioned users to avoid trading on any exchanges until the issue was solved. The team has not issued any other statement as of press time.

Like what you see? Subscribe for updates.