- ForceDAO has admitted that an “engineering oversight” allowed 183 ETH worth $367,000 to be taken from the platform
- Hackers exploited a flaw in the xFORCE code which allowed them to mint a huge number of tokens and sell them
- The platform had launched its airdrop campaign the prior day
Newly launched defi protocol ForceDAO has taken responsibility for a hack that saw 183 ETH stolen from its xFORCE platform just hours after it launched. ForceDAO, an Ethereum-based yield aggregator, suffered from an attack by four hackers on Sunday who exploited the xFORCE platform to make off with the haul, worth $367,000. In a Medium postmortem, Lead Developer Alberto Cevallos admitted that an “engineering oversight” allowed the hack to take place, although he reiterated that user funds were never at risk.
1/We take responsibility for this engineering oversight and have begun processes to ensure any such incidents are mitigated in the future.
All funds on our platform are safe, only xFORCE was affected.
A total of 183 ETH (~$367K) worth of FORCE were drained and liquidated.
— Force (@force_dao) April 4, 2021
206 Quintillion xFORCE Tokens Minted
The hack began at just after 7am on Sunday, less than a day after the ForceDAO airdrop campaign was launched. The xFORCE platform is a fork of a SushiSwap smart contract and contains a mechanism to revert tokens to a user in the event of failed transactions. Hackers exploited a flaw that allowed them to mint a frankly staggering two hundred six quintillion nine hundred seventy-four quadrillion nine hundred twenty trillion one hundred thirty-two billion five hundred eighteen million xFORCE tokens, although they only managed to sell 6.7 million of them.
In an honest assessment of the situation, Cevallos admitted that the hack could have been prevented had some commonly used elements been added to the code. He added that as a result of the hack, the ForceDAO team are working with two security agencies “to review and analyze our repos to ensure all contract systems perform as designed.” However, as we have found out on too many occasions in the past, having someone look over your code doesn’t always mean much when it comes to security.
ForceDAO to Reimburse Tokenholders
Cevallos added that the ForceDAO team have taken a snapshot of tokenholders and will reimburse them with a replacement token when it is ready, which is the same approach taken by the PAID Network when their contract was exploited last month.