Decentralized finance (DeFi) protocol ForceDAO suffered an attack from several hackers on Sunday morning, draining the project out of 183 Ethereum (ETH), the project said on Twitter on 4 April.
According to the post mortem of the accident, five hackers were responsible for the attack on ForceDAO, which occurred only hours after the project had launched its airdrop campaign on 3 April. One of the attackers, however, turned out to be a “white-hat” hacker, who assisted the team by alerting them of the exploit before further damages were dealt to the platform. The ForceDAO team said in a statement:
“We take responsibility for this engineering oversight and have begun processes to ensure any such incidents are mitigated in the future. We also want to thank the White Hat hacker who helped deter further FORCE tokens from being drained. We have a bounty for you.”
The team further explained in the post mortem that only the xFORCE platform was affected, and that all “funds on our platform are safe”. xFORCE is described as the “interest-bearing” version of FORCE, and is a fork of a SushiSwap smart-contract that contains a mechanism to revert tokens when a transaction has failed. The attackers exploited a flaw in the contract used by ForceDAO, and were able to mint xFORCE tokens, which were then withdrawn and exchanged for ETH. The team admitted that:
“This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.”
After the team had dealt with the unexpected situation, they decided to transfer 60 million FORCE tokens from the platform’s multi-signature wallet and into a deployer wallet. They then used the tokens to create and execute three votes that would “effectively burn the FORCE balances” in three of the hackers addresses.
The ForceDAO team is now working with two separate security firms, who are reviewing and analyzing “our repos to ensure all contract systems perform as designed”. They are also working with the relevant authorities on investigating the hack, as some of the addresses originated from the FTX and Binance exchanges.
Shortly after the launch of the project, its native FORCE token had increased in value to around $2.30, but since the accident has fallen in price by 97%, and is now trading for $0.09.