The inexperienced decentralized financial protocol, ForceDAO, got off to a rough start, with several hacker incursions taking place just hours after its launch.
The Ethereum-based income aggregator had just launched its air launch campaign on April 3, when four malicious black-hat hackers managed to drain a total of 183 ETH worth approximately $ 367,000 at the time. A friendly “white hat” hacker also assisted the team by alerting them to avoid further losses.
The team released an autopsy of the attacks and took responsibility for what it called “engineering supervision”.
POST-DEATH
For the Force and DeFi community, we would like to share a post-mortem about the recent xFORCE exploit.
Thanks to all the technicians and non-technicians who helped along the way.
Especially for the White Hat, which helped prevent FORCE from being drained.https: //t.co/MK2GH69yLd
– Force (@force_dao) April 4, 2021
After the foray, the team made the decision to transfer 60 million FORCE tokens from the treasury’s multiple-signature portfolio to a deployment portfolio to create and execute three votes that would effectively burn FORCE balances at three of the hackers’ addresses.
The autopsy explained that the affected xFORCE platform was a fork of a SushiSwap smart contract containing a mechanism to reverse tokens in the event of failed transactions. The protocol describes xFORCE as the “interest-bearing” version of FORCE, representing shares in its pools in a similar way to the operation of LP tokens.
A flaw in the contract used by ForceDAO allowed attackers to exploit this mechanism to coin xFORCE tokens that were withdrawn and exchanged for ETH in the markets. The team acknowledged that the attack would have been relatively easy to prevent.
“This could have been avoided by using a standard Open Zeppelin ERC-20 or by adding a safeTransferFrom wrapper to the xSUSHI contract.”
He added that the hack is currently under investigation, as some of the addresses come from the popular FTX and Binance exchanges. A snapshot will be taken and the project will be restarted with a new xFORCE token added.
After the launch and air launch, the prices of FORCE tokens rose to more than $ 2 on April 4, but have since dropped by more than 95%, to $ 0.05 at the time of writing.