Theft and giving it back: $25M stolen and returned in Lendf.me debacle
Updated: May 1, 2020
A hacker recently exploited a vulnerability in decentralised lending protocol Lendf.me, operated by the dForce Foundation, to steal, and then return (not quite willingly) USD$25 million in ether (ETH) and bitcoin (BTC).
Not unlike the hack of decentralised exchange Bisq, which we discussed here, the hacker stole the funds by exploiting a vulnerability in the software underpinning the lending protocol. While specific details of the exploit have yet to be determined, a root cause and loss analysis published on Medium suggests that an incompatibility between certain ERC-777 tokens and the smart contracts used on Lendf.me are responsible for enabling a "reentrancy attack" (don't worry we didn't know what that was either).
Reentrancy attacks allow hackers to withdraw funds repeatedly, in a loop, before the original transaction is approved or declined.
In comments on the attack, Mindao Yang, founder of dForce, said that:
The hacker(s) have attempted to contact us and we intend to enter into discussions with them.
We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses, and engaged our legal teams.
Not long after this, and following an accidental leak of the hacker's IP address, multiple transactions were initiated from an address labelled "Lendf.Me Hack" to the admin address for the Lendf.Me project returning the majority of the stolen funds.
Strangely, the hacker did not return exactly the same balance of assets as were stolen, but returned close to the equivalent value in other types of tokens.
While there has yet to be any statement or publication by the hacker as to the reasoning for the return of the stolen funds, it's possible they were trading them, or reached some agreement to return a different amount in exchange for Lendf.me agreeing to drop the matter.
With past hacks being resolved entirely without the involvement of authorities, it's interesting to see the threat of a report of a hack to police, and the immutable nature of the blockchain being once again used to hold someone to account for their transactions.
If only more hacks had happy endings like this.