Hackers managed to steal approximately $367k worth of cryptocurrency from a newly launched decentralized finance (DeFi) aggregator in a swift and calculated attack. ForceDAO, the platform in question, fell victim to cyber-criminals within hours of its debut on April 3. The breach was only discovered after a ‘white hat’ hacker tipped off the operators about the exploit.
Upon further investigation, it was revealed that the hackers exploited an “engineering oversight” within the platform that allowed them to siphon off 183 Ethereum (ETH). The flaw resided in the SushiSwap smart contract utilized by ForceDAO, which contained a loophole that enabled the reversal of tokens in failed transactions. Exploiting this vulnerability, the malicious actors minted xFORCE tokens, subsequently exchanging them for ETH.
The ForceDAO team acknowledged the preventable nature of the incident, citing the use of a standard Open Zeppelin ERC-20 or the inclusion of a safeTransferFrom wrapper in the xSUSHI contract as potential safeguards. Despite the breach, the company assured users that all funds on the platform remained secure, with only xFORCE tokens being affected by the attack.
In response to the breach, the ForceDAO team swiftly transferred 60 million FORCE tokens from the treasury multisignature wallet into a deployer wallet to mitigate further losses. This action resulted in the burning of the FORCE balances held by three of the suspected hackers.
Taking responsibility for the security lapse, ForceDAO initiated measures to enhance its security protocols and engaged two security firms to conduct a thorough review of its repositories. The platform also expressed gratitude towards the white hat hacker who aided in halting the further drainage of FORCE tokens, offering a bounty as a token of appreciation.
The aftermath of the attack had a significant impact on the price of FORCE tokens, with CoinTelegraph reporting a surge to over $2 post-launch followed by a staggering 95% crash to $0.05. As of April 5th, the price of FORCE stood at approximately $0.07.
The incident serves as a stark reminder of the inherent risks associated with the DeFi space and underscores the importance of robust security measures in safeguarding users’ assets. ForceDAO’s commitment to fortifying its defenses and learning from this experience is crucial in maintaining trust within the DeFi community.