Hackers made off with 183 Ethereum (ETH), worth roughly $386,000 at the time of writing, following a coordinated attack on DeFi platform ForceDAO Sunday. Following an initial selloff, ForceDAO’s native FORCE token was in recovery mode on Monday, capping off a highly volatile 24 hours for the newly launched project.
ForceDAO detailed the Sunday exploit in a series of tweets, taking ownership of the “engineering oversight” that resulted in the attack, which centered around the platform’s xFORCE contract.
To the Force and DeFi community, we’d like to share a post-mortem on the recent xFORCE exploit.
Thanks to everyone technical and non-technical who helped along the way.
Especially to the White Hat who helped deter FORCE getting drained.https://t.co/MK2GH69yLd
— Force (@force_dao) April 4, 2021
In a follow-up blog post, Alberto Cevallos explained:
“The exploiters were able to deposit FORCE tokens that would fail the transfer [f]rom call and receive xFORCE tokens, as the xFORCE contract expects a revert from the token but instead receives false.”
“A user could then withdraw these newly minted xFORCE tokens for the remaining FORCE tokens in the vault, and liquidate them for ETH on exchanges.”
An additional 14.8 million FORCE tokens were compromised in the initial attack, though they’ve since been returned to the pool.
Often described as a quantitative hedge fund, Force is both a protocol and decentralized autonomous organization, or DAO, that’s designed to produce higher-yielding DeFi opportunities for its community.
The FORCE token collapsed more than 99% on Sunday, from $2.21 to a low of just 2 cents, according to CoinGecko. The token has since recovered 173% in the last 24 hours.