A rugpull took place in the DeFi area again. The rugpull victim of this weekend was ForceDAO.
ForceDAO has been under a massive attack. The attack was caused by an error in the code of the xFORCE contract. The bug allows anyone to use the “deposit” function regardless of whether they hold FORCE tokens or not. This means that it is possible to print xFORCE tokens from the contract, for contractual purposes only, without locking any tokens in the vault.
Therefore, everyone can exchange these tokens for FORCE using the “withdraw” function in the contract.
It is stated that many attackers took advantage of this vulnerability earlier this morning. An attacker received 14.8 million FORCE for $ 24 million. But since then, he’s returned the money to the pool. However, the other 4 people who took advantage of this vulnerability captured 6.75 million tokens, and the funds have already begun to trade and transfer to various exchanges. The liquidity dropped when the white hat hacker found this vulnerability. This means other attackers earn significantly less money than FORCEs.
Mudit Gupta, leader of Polymath Network’s blockchain team, detailed the attack in the following tweet:
xFORCE contract from @force_dao hacked and drained by a whitehacker. In the FORCE token, the transfer functions return false rather than reverting when the sender doesn't have enough balance. The xFORCE contract assumes FORCE will revert and does not handle the returned value. pic.twitter.com/lPo9vJ48bs— Mudit Gupta (@Mudit__Gupta) April 4, 2021
FORCE fell hard
ForceDAO held an airdrop yesterday where FORCE tokens were distributed to active Ethereum users. Earlier this morning, the token was trading at $ 2.30, but has since declined. The token, which declined to levels of $ 0.024, is trading at $ 0.30 with a 90% loss at the time of writing.
One of the malicious attackers used an address linked to the central cryptocurrency exchange FTX. This gave hope that the funds could be saved. Others used the decentralized exchanges 1inch and SushiSwap.
ForceDAO confirmed the attack in the following tweet. The team stated that the details will be shared later.
ATTENTION— Force (@force_dao) April 4, 2021
Our team is aware of the xFORCE contract exploit and has identified the nature of the issue.
There are no further funds available on the xFORCE contract to be exploited.
All other vaults are safe.
We will provide a post-mortem and next steps over the coming hours.