2 Reasons Why Ethereum DeFi Hacker Returned $25 Million in Hacked Funds

The weekend saw an exploit of the dForce DeFi protocol which netted hackers $25 million worth of crypto. This consisted mostly of Ethereum and stablecoins, with Bitcoin bringing up the tail end of assets stolen.

But in a stunning turn of events, the attacker has since returned the stolen funds. Observers believe this was due to poor hacking practice that left his identity exposed.

Mostly Ethereum Stolen in dForce Attack

On Saturday night there was an attack of the Lendf.Me open-source market protocol, which is part of the dForce network of DeFi protocols.

dForce currently operates two protocols, the other one being USDx. This is a meta-stablecoin that is pegged against a basket of regulated stablecoins in USDC, PAX, and TUSD.

Like the crop of most DeFi protocols at present, Lendf.Me operates by matching the supply and borrowing of Ethereum-based ERC20 tokens. It allows users to deposit ERC20 stablecoins to earn interest or borrow supported assets using crypto as collateral.

The attack netted $10 million of Ethereum, $4.4 million Bitcoin, with the $10.4 million balance consisting of various stablecoins.

According to blockchain security researchers, PeckShield, the attacker exploited a bug in the lending function that approved the release of funds in collateral exchange for imBTC, a token which pegs Bitcoin and Ethereum.

“the deposit function, i.e., supply() in Lendf.Me is hooked by embedding an additional withdraw() operation, leading to the effect of increasing the internal record of the attacker’s imBTC collateral amount without actually depositing the amount.”

dForce DeFi protocol exploited to steal mainly Ethereum

Value locked in dForce in USD following the attack. (Source: defipulse.com)

Not only that, but CEO of fellow DeFi protocol Compound, Robert Leshner took the opportunity to launch a scathing attack on dForce by accusing it of stealing Compound’s code.

The Unexpected Return of Funds

However, earlier this morning, in an astonishing turnaround, the attacker set about returning all of the stolen funds. This includes the lions share of $10 million Ethereum. But it seems as though the stablecoins were exchanged for other crypto assets before returning.

It’s unclear what motivated this action, but Larry Cermak, Director of Research at The Block, drew attention to critical oversights made by the attacker in laundering the proceeds.

Namely, in moving the stolen Ethereum and other crypto assets, to decentralized exchanges, the hacker simply used a VPN or proxy server, whereas more experienced hackers would facilitate the transfer using a decentralized network, such as Tor.

This blunder leaked metadata, including his IP address and also left a pathway to trace his identity via the subpoena of information from the server operator.

What’s more, Sergej Kunz, CEO of 1inch exchange, which was one of the decentralized exchanges used in laundering the stolen funds, was willing to discuss the issue openly.

Indeed, Kunz’s cooperation in the matter highlights industry-wide cooperation in fighting hackers. Regarding the incident, Kunz remarked:

“He seems to be a good programmer, but an inexperienced hacker.”

On that note, even though the hacker has now returned the stolen crypto assets, the reputation of DeFi remains tarnished.

Featured image from Unsplash.

     
 
 

error: Content is protected