Newly launched decentralized finance (DeFi) platform, ForceDAO got attacked by hackers barely a few hours after it launched. DeFi platforms have been hacked in recent times, and this time ForceDAO happens to be the latest victim.
Hackers Steal $367,000 In DeFi Hack
A total of 183 ETH worth approximately $367,000 at the time was said to be drained and liquidated from the Ethereum-based yield aggregator by four malicious “black-hat” hackers. The fifth hacker was an ethical white-hat who assisted the company in preventing further losses by alerting them.
According to Mudit Gupta, blockchain team lead at Polymath Network, who detailed the Twitter thread attack, the hackers invaded the project when they noticed a bug in the xFORCE contract’s code.
This means anyone can call the `deposit` function of the xFORCE contract even if they do not have any FORCE tokens. The xFORCE contract will mint them fresh xFORCE tokens even though it will fail to lock their non existent FORCE tokens.
— Mudit Gupta (@Mudit__Gupta) April 4, 2021
This code’s flaw allowed anyone to call the “deposit” function regardless of whether they were holding FORCE tokens.
This option meant it was possible for anyone to mint xFORCE tokens from the contract without locking any tokens in the vault. Anyone could then exchange these tokens for FORCE by calling the “withdraw” function in the contract.
The ForceDAO team acknowledged the attack thanking those who helped to deter the platform from getting drained. In a statement, the DeFi platform released a breakdown of the attacks terming it as an “engineering oversight.” However, they confessed that the hacks would have been easily prevented.
“This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.” the company stated.
The company also explained that the xFORCE platform affected was a fork of a SushiSwap smart-contract containing a mechanism to revert tokens in the event of failed transactions. The protocol describes xFORCE as the “interest-bearing” version of FORCE, representing shares in its pools similar to how LP tokens work.
Moving forward, ForceDAO said it is still investigating some of the addresses which originated from popular exchanges FTX and Binance. The DeFi platform added that the project would be re-launched with a new xFORCE token.
Hackers Moving To NFTs
The DeFi sector has undoubtedly been hacked a lot due to the high level of adoption. However, with the attention NFTs are getting, reports suggest NFTs aren’t so safe anymore.
Short for non-fungible tokens, they are pieces of digital content linked to the blockchain that gives a buyer original ownership over digital art pieces.
Last month, several Twitter users reported that their accounts on the platform Nifty Gateway had been hacked, and NFTs worth thousands of dollars were stolen. The company, however, said that it was caused by the users who didn’t enable the two-factor authentication.
This highlights another important facet of NFTs: they are just as potentially hackable as your email or any other online account opposed to the belief that they are very secure.