“Engineering Oversight” Costs ForceDAO $367k

Hackers made off with cryptocurrency worth $367k from a new decentralized finance (DeFi) aggregator within hours of its launch. 

ForceDAO was launched on the morning of April 3. Its operators discovered that the platform was being exploited after receiving a tip from a 'white hat' hacker. 

An investigation into the incident found that an "engineering oversight" had allowed cyber-criminals to steal 183 Ethereum (ETH).  

The thefts were able to take place because of a flaw in the SushiSwap smart contract used by ForceDAO, which contained a mechanism that could revert tokens used in failed transactions. Malicious hackers exploited this flaw to mint xFORCE tokens, which they then withdrew and exchanged for ETH.

“This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract,” said the ForceDAO team. 

The company added that “all funds on our platform are safe, only xFORCE was affected. A total of 183 ETCH (~ $367K) worth of FORCE were drained and liquidated.”

The malicious activity began at around 7:00am UTC. After being alerted to the exploitation, the ForceDAO team transferred 60 million FORCE tokens from the treasury multisignature wallet into a deployer wallet. This action created and executed three votes, burning the FORCE balances in addresses used by three of the suspected five hackers.

"We take responsibility for this engineering oversight and have begun processes to ensure any such incidents are mitigated in the future," said ForceDAO in an xFORCE Exploit Postmortem.

"We also want to thank the ..

Support the originator by clicking the read the rest link below.