Hackers have made DeFi projects the objects of their attacks recently. DeFi project, ForceDAO, was the victim of a multi-million dollar attack earlier today. A white hacker found a bug within the smart contract’s code. This bug within the xFORCE contract code made it possible for someone to activate the “deposit” function whether or not they had FORCE tokens. It was then possible to create new xFORCE tokens without having to lock any tokens. The tokens can then be traded for FORCE by simply activating the “withdraw” function of the smart contract.
Black Hat Hackers Sell Off Their Loot
The white hat hacker eventually returned the over 14 million FORCE tokens he took. Sadly, some black hat hackers got wind of the exploit and made away with some decent FORCE tokens. Four of these black hat hackers made away with about 6.75 million FORCE tokens and had traded them for Ether on several exchanges. As a result of this attack, the price of FORCE slumped briefly by 95%.
According to Mudit Gupta of Polymath Network FORCE token’s transfer function gives a false when the sender has insufficient balance instead of reverting. xFORCE CONTRACT false assumes that FORCE will be reverted and so doesn’t take care of the returned value.
FTX exchange was one the exchanges used by a black hat hacker in exchanging the stolen tokens. Thus it may still be possible to recover part of these funds. The bulk of the remainder have been sold on decentralized platforms like SushiSwap and 1inch.