dForce / Lendf.Me Hack 2020 — $25M Exploit Analysis

Lendf.Me lending protocol was drained via ERC-777 reentrancy attack, exploiting the token callback mechanism to repeatedly borrow against the same collateral.

Details

Full Description

The attacker exploited an ERC-777 token callback reentrancy vulnerability in Lendf.Me (dForce's lending protocol). By depositing imBTC (an ERC-777 token), the attacker triggered the token's callback during deposit to reenter the withdraw function, effectively borrowing against the same collateral repeatedly and draining all protocol assets across multiple tokens.

Laundering Analysis

Unusually, the attacker returned all funds within 4 days after being identified through KYC information at dYdX and IP address metadata they left on-chain. dForce negotiated fund return in exchange for a bounty. Protocol resumed operations. This is one of the few 2020 DeFi hacks where nearly all funds were recovered.

Sources

Transaction Hashes

Related Hacks

Back to Browse