ForceDAO Exploited for $367K after Launch Due to Engineering Oversight

ForceDAO, a newly-launched DeFi aggregator, seems to have gotten off on the wrong foot. Hours after it launched, several malicious hackers managed to exploit 183 ETH, worth roughly $367,000, from the platform. A ‘white hat’ hacker alerted the team and helped to prevent further losses from being incurred.

In a post-mortem report of the attack, ForceDAO has explained that the hackers were able to abscond with the funds due to an ‘engineering oversight’. According to CoinTelegraph, the ForceDAO team made the decision to transfer 60 million FORCE tokens from the platform’s treasury wallet into a ‘deployer’ wallet. This will begin the process of burning the balance of FORCE tokens that have been moved to the hacker’s wallet addresses.

Looking Forward to Meeting You at iFX EXPO Dubai May 2021 – Making It Happen!

POST-MORTEM

To the Force and DeFi community, we'd like to share a post-mortem on the recent xFORCE exploit.

Thanks to everyone technical and non-technical who helped along the way.

Especially to the White Hat who helped deter FORCE getting drained.https://t.co/MK2GH69yLd

— Force (@force_dao) April 4, 2021

In addition, the platform clarified in the post-mortem that: “all funds on our platform are safe, only xFORCE was affected.”

What Happened?

According to the post-morterm, the hackers exploited a fork of a SushiSwap smart contract. The smart contract contained a mechanism that could revert tokens that were used in failed transactions. Hackers exploited a flaw in this contract that essentially allowed them to mint xFORCE tokens, which were then withdrawn and exchanged for ETH.

The ForceDAO team has acknowledged that the exploitation was preventable: “This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract,” the team said.From the post-mortem: "Dear Force Community, I’m writing this post to share further information with regards to the xFORCE contract exploit that began at around 7:06 am UTC. We take responsibility for this engineering oversight and have begun processes to ensure any such incidents are mitigated in the future. We also want to thank the White Hat hacker who helped deter further FORCE tokens from being drained. We have a bounty for you. All funds on our platform are safe, only xFORCE was affected. A total of 183 ETH (~$367K) worth of FORCE were drained and liquidated. For the time being, I can confirm that there will be a snapshot and new token. We’ve begun internal re-structuring and will be announcing a plan over the coming days making any affected FORCE holders and LPs whole." https://blog.forcedao.com/xforce-exploit-post-mortem-7fa9dcba2ac3

Moreover, the team noted that some of the addresses that allegedly belong to hackers originate from two popular cryptocurrency exchanges: FTX and Binance. The ForceDAO team wrote that: “we’re currently engaged with 2 separate security firms to review and analyze our repos to ensure all contract systems perform as designed.”

As a result of the drama surrounding the launch, FORCE token prices have dropped significantly. CoinTelegraph reported that: “following the launch and airdrop, FORCE token prices surged to over $2 on Apr. 4, but have since crashed over 95% to $0.05” as of 8am GMT on April 5th. At press time, the price of FORCE was roughly $0.07.

 

Source: Read Full Article