The dForce Loss to Hackers is a Symptom of something Deeper in DeFi
The dForce hack points to deeper problems with DeFi Startups.
Open lending protocol dForce has had a few issues since it raised capital from cryptocurrency exchange Huobi last week. The open lending protocol suffered a loss of about $25 million. This is about the total of the capital in tokens that it had under its control.
All of this happened after dForce raised about $1.5 million on Thursday last week from the Huobi cryptocurrency exchange. The open lending platform seemed impregnable. The crypto space has been taken aback by the attack.
dForce gets HackedThe LendF protocol had issues security-wise. Sources say that hackers exploited the reentry loophole in the dForce protocol. This vulnerability had been seen in Uniswap.
The hacker used the ERC-777 standard to launch the attacks. The standard appears to be glitch-free. There was however a loophole that allowed for the glitch to occur. Sources point to an OpenZepellin-published exploit on GitHub as the source of the problem.
The attackers were able to use the reentry loophole to steal the funds by “looping” the withdrawal requests before final execution.
This kind of attack shows that a lot of things are wrong with the dForce setup.
First of all, the crypto space is still new technology. As such, there are going to be all kinds of technology around. Decentralized finance (DeFi) being another sub-field within the crypto space is very young at the moment. The attack has been seen by many as a result of dForce copying all kinds of things from just about anybody they think is perfect for the job.
dForce Copies Everything
A cursory look at their business model shows this weakness very clearly. Their USDx token is a clear case of this. Another DeFi organization has a USDX. Kava from the middle of last year launched its USDX stablecoin.
It aimed to have a stablecoin in US dollar value to work within the Decentralized finance ecosystem. The USDX stablecoin was also backed by XRP tokens. dForce it appears has done everything within its power to undercut Kava at every turn.
Unnamed sources within the Kava ecosystem cite the numerous attempts by dForce as an example of the lack of the spirit of Fairplay that dForce has employed so far.
The use of Kava’s USDX ticker and many tries to get people to use its USDx instead. The lack of creativity by the dForce team seems to have been extended into its code as well. This may be what has been responsible for the hack.
Security is Lacking
The truth is that once you copy code, you will have to find a way of securing the code and altering it. This is because your version of the code will still be vulnerable to the codes’ original vulnerabilities.
As such, dForce hasn’t been a good copycat. According to sources, the team at dForce had repeatedly pointed out that their code came from the Concourse library. While not making any efforts to disparage these claims, others within the crypto space have accused dForce of copying code.
Robert Leshner who is the founder of Compound Finance and Robot Ventures pointed out that dForce copied its main source codes for its smart contracts from other parties.
He indicated this in a tweet and pointed out a lesson for developers.
If a project doesn't have the expertise to develop it's own smart contracts, and instead steals and redeploys somebody else's copyrighted code, it's a sign that they don't have the capacity or intention to consider security.
Hope developers & users learn from the @LendfMe hack.
— 🤖 Leshner (@rleshner) April 19, 2020
This goes to show that many pairs of eyes are watching the various happenings within the DeFi space.
Kava’s CEO Brian Kerr had spoken exclusively about the matter. Sources say that he admitted that
“Building any financial service on ETH is quite problematic for security. Testing the possible outcomes and bugs of solidity is near impossible as it can do virtually anything as a Turing complete language. While powerful, it’s probably the worst environment to build financial infrastructure”.
He indicated the programming process at Kava. he said that
“At Kava, all our code is built from the ground up, in Golang, in very discreet modules that are scoped to very specific actions that we can “formally verify” meaning that we can fully test the code to a very high confidence for its accuracy and security”.
He also spoke specifically about dForce. He said that
“As for dForce specifically, it is a tragedy for what happened to the users’ funds. Lots of people lost hard-earned money due to basic negligence. I don’t like to say bad things about others usually, hacks can happen to any team, but the dForce incident is particularly bad”.
“The fault is both on the dForce team and the users. dforce didn’t understand what they were doing and marketed an unsafe product. The users didn’t do their own due diligence on the team or the codebase to make sure it’s safe”.
At the end of the day, it boils down to understanding how to use creativity properly. There are three kinds of creativity copycat creativity, pure creativity, and innovation. dForce didn’t understand the risks and took the first leap.