Hackers made off with cryptocurrency worth $367k from a new decentralized finance (DeFi) aggregator within hours of its launch.
ForceDAO was launched on the morning of April 3. Its operators discovered that the platform was being exploited after receiving a tip from a 'white hat' hacker.
An investigation into the incident found that an "engineering oversight" had allowed cyber-criminals to steal 183 Ethereum (ETH).
The thefts were able to take place because of a flaw in the SushiSwap smart contract used by ForceDAO, which contained a mechanism that could revert tokens used in failed transactions. Malicious hackers exploited this flaw to mint xFORCE tokens, which they then withdrew and exchanged for ETH.
“This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract,” said the ForceDAO team.
The company added that “all funds on our platform are safe, only xFORCE was affected. A total of 183 ETCH (~ $367K) worth of FORCE were drained and liquidated.”
The malicious activity began at around 7:00am UTC. After being alerted to the exploitation, the ForceDAO team transferred 60 million FORCE tokens from the treasury multisignature wallet into a deployer wallet. This action created and executed three votes, burning the FORCE balances in addresses used by three of the suspected five hackers.
"We take responsibility for this engineering oversight and have begun processes to ensure any such incidents are mitigated in the future," said ForceDAO in an xFORCE Exploit Postmortem.
"We also want to thank the White Hat hacker who helped deter further FORCE tokens from being drained. We have a bounty for you."
In an effort to defend against further attacks, ForceDAO has engaged two separate security firms "to review and analyze our repos to ensure all contract systems perform as designed."
The launch-day raid on the new DeFi platform has dramatically impacted the price of FORCE tokens.
CoinTelegraph reported that “following the launch and airdrop, FORCE token prices surged to over $2 on Apr. 4, but have since crashed over 95% to $0.05” as of 8am GMT on April 5th. At press time, the price of FORCE was roughly $0.07.