ForceDAO, a newly launched decentralized finance (DeFi) project, got attacked by five hackers. Hours after it launched, several malicious hackers managed to exploit 183 ETH from the platform. A white-hat hacker alerted the team and helped to prevent further losses from being incurred.
The bug within the xFORCE contract code made it possible for someone to activate the deposit function whether they had FORCE tokens. It was then possible to create new xFORCE tokens without having to lock any tokens. Can then trade the tokens for FORCE by simply activating the withdraw function of the smart contract.
The white-hat hacker eventually returned the over 14 million FORCE tokens he took. Sadly, four of these black hat hackers made away with about 6.75 million FORCE tokens. They traded them for Ether on several exchanges. As a result of this attack, the price of FORCE crashed 90%.
The platform clarified in the post-mortem that: “all funds on our platform are safe, only force, xForce, and Force/ETH LPs on UniSwap and SushiSwap were affected.”
According to Mudit Gupta of Polymath Network, the FORCE token’s transfer function gives a false when the sender has insufficient balance instead of reverting. The xFORCE CONTRACT false assumes that FORCE will revert and doesn’t take care of the returned value.
The ForceDAO team has acknowledged that the exploitation was preventable: “This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safe TransferFrom wrapper in the xSUSHI contract,” the team said.
Hackers used FTX and Binance exchanges to exchange the stolen tokens. Thus it may still be possible to recover part of these funds. The bulk of the remainder has sold on decentralized platforms like SushiSwap and 1inch.
The hackers dumped nearly $350,000 worth of ETH in all. ForceDAO, on its part, issued an advisory that cautioned users to avoid trading on any exchanges until solved the issue.