The dForce Hacker Returns Nearly All $25M of Stolen Funds

Since Saturday's attack, the dForce hacker has now been blocked from cashing out on their latest earnings.

The dForce Hacker Returns Nearly All $25M of Stolen Funds

Key Takeaways

  • The LendfMe hacker has returned more than $21 million to the protocol’s admin address following a complete drain of the money market pool.
  • Some assets acquired by the hacker ran on a central registry, limiting their ability to cash out.
  • Around 510,000 USDx was transferred.

Share this article

On Apr. 19, 2020, dForce’s money market arm, LendfMe, was drained of all its liquidity after a known vulnerability was exploited. After being blacklisted from centralized registries, the hacker has returned just under $22 million in assets to LendfMe.

dForce Hacker: Cornered or Altruistic?

In the last few hours, the hacker who exploited a vulnerability in LendfMe’s ERC-777 pool has started to return stolen funds through various tokens. 

At 5:15 AM UTC, the hacker sent a transaction worth 0 ETH to LendfMe’s admin address with the message “email,” which presumably informed them that the hacker was willing to compromise and return assets.

Almost $20 million has been returned to LendfMe within the last day. Over $10 million in ETH, $10 million in stablecoins, and $1.9 million in other ERC-20 tokens were sent at 5:30 AM UTC.

Latest transactions from the hacker to LendfMe, via Etherscan.

It is unknown whether the dForce hacker had a sudden change of heart, following several despondent messages from exploited individuals, or if they were simply unable to sell their loot.

A handful of assets would have been impossible for the hacker to offload. 

imBTC is an ERC-777 token, meaning it has a central registry controlled by the operator, Tokenlon DEX. Owing to this centralized registry, the stolen tokens can be blacklisted, deeming them unredeemable and effectively useless. 

HuobiBTC is an ERC-20 token that represents a claim on BTC. This is also operated by Huobi and only redeemable on their platform.

Centralized exchanges tend to blacklist addresses associated with hacks almost immediately, which means the exploiter would find it difficult to redeem Huobi BTC as well.

The rest of the tokens, such as DAI, ETH, KNC, BAT, and others, could have been kept by the hacker as Uniswap and other DeFi protocols don’t blacklist addresses.

The potential outcome could be a truce between the dForce hacker and LendfMe, whereby the latter returns the stolen assets and receives a bounty of sorts. 

Share this article