The dForce victim's self-report: escaped Fcoin and black swan, but did not escape Defi, the hacker cash machine

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

The dForce victim's self-report: escaped Fcoin and black swan, but did not escape Defi, the hacker cash machine

星球君的朋友们

2020-04-20 05:10

本文约2005字，阅读全文需要约8分钟

As an ordinary user, how should we protect our assets?

BihuBihu, Author: Bai Temi, published with authorization.

After eating at noon, I just woke up now, in a daze. At this moment, my heart is still bleeding, let me say it to make everyone happy.

I saw the news that the decentralized exchange Uniswap was hacked and 1,278 ethers were withdrawn yesterday, but I didn't take it seriously. In my heart, I silently sighed with political correctness: the currency circle is really full of disasters.

Unexpectedly, on the second day, it was my turn to suffer.

1

I used to like full warehouses all the time. After 312, it was painful to learn from the pain, the full position is too passive, and I don't want to fill the position again.

Therefore, I have basically not increased my income in the past two months, and I plan to use it mainly to improve my life.

But if there is a really good opportunity later, it will definitely enter the market to buy the bottom. At that time, the USDT off-market premium must be very high. With this in mind, I recently took the opportunity to exchange the fiat currency into USDT in batches, and made two-handed preparations.

Two days ago, I saw MYKEY doing activities. If you do a certain amount of stablecoin wealth management through the MYKEY wealth management portal, you can get a network fee reward of up to $10 and 5 free transfers of Ethereum per month. I already had some DAI and was managing money through the MYKEY entrance. I always feel that the security of DAI is higher than that of USDT, but in terms of transaction convenience, it is much worse than USDT. Therefore, for my own convenience, I still use USDT on a daily basis. After seeing the activities of MYKEY, I deposited all my USDT in the wealth management, the annualized rate of return is less than 1%, but it is flexible to deposit and withdraw, so I don’t actually expect to earn this interest.

On the one hand, I was greedy for the cheapness of network fees. On the other hand, DAI financial management gave me a very good experience. I can see the number rising every second, which is very cool.

2

Then, saw the news today, Lendf.Me was hacked, Dforce was ransacked...

After I saw it, I tried to withdraw coins immediately:

Looking at the group just now, there should be many people like Lao Bai:

I have saved far more than 1000U... However, one code is one code, and this matter has nothing to do with MYKEY. As far as I know, it's a developer's problem.

Lendf.me official came out in the telegram group for the first time and said that it is still investigating, so that everyone should stop depositing coins in the smart contract:

So how much money did the hacker withdraw from lendf.me this time?

In the past 24 hours, the locked assets in this smart contract have dropped to only $6. Before that, the locked assets in it were 25 million U.S. dollars—one of the seven major Defi markets. That is, now $25 million has been completely looted by hackers.

I basically have no hope that the official can give an explanation or compensation.

A while ago, this Defi project became the first open financial project invested by Multicoin Capital, and other investors included Huobi and CMB International. In that financing, it only raised $1.5 million.

Expect it to lose $25 million? I'd better wash and sleep...

3

What makes me speechless is that there is now a professional analysis. Today’s attack on Uniswap is similar to yesterday’s attack on Uniswap, both of which exploit ERC777 vulnerabilities. Slow Mist thought it might be the same group. To blame is indeed to blame myself for not being vigilant after seeing the news yesterday.

But I can't figure it out, these Defi project parties seem to be as unvigilant as I am... Don't you check the risks yourself when you see others being hacked?

There are melons behind this. After the hacker stole the coins inside, what did he do next?

On the one hand, the hacker went to various decentralized exchanges to exchange a lot of ETH and other coins; on the other hand, the hacker deposited a lot of exchanged coins into another Defi project compound.

I feel that the hacker must be intentional, because compound and lendf have been torn.

Compound has previously accused Lendf.Me of stealing its own code. Then, Lendf specifically added instructions related to Compound, clearly stating that its money market contract is based on Compound V1.

The reason why the two projects are torn apart is that the Compound code is open source, so is it appropriate for this open source code to be used and released by another competing project in the name of open source?

Specifically, I am not in the mood to pay attention to their more tearing up. In fact, before I stepped on the thunder myself today, I didn't pay attention to the grievances and hatred between them at all.

After Lendf was stolen, the founder of Compound immediately tweeted:

But I think it's useful. I just save money, and I always believe that the market has already done a basic screening and evaluation, so that unreliable companies will not allow such a large market share. As an ordinary individual, I have no ability to check whether their codes and contracts have any loopholes... So, how could I know in advance that there is a problem with the security of its contracts? Could it be that the only way to save one's life is to be suspicious and not to participate?

4

After reading a lot of analysis, the developer has a huge responsibility this time.

But what's the point of pursuing accountability? Now that the damage has been done, the question is, who will be held accountable?

With less than 1% annualized income, there is a risk of losing all the principal? unbelievable...

Although some other Defi financial management has a comprehensive design, but still the previous sentence - as the most ordinary users, they will not study so much carefully. Therefore, before this field has fully passed the test of time, and more people like me use the blood and tears of stepping on mines to complete debugging, I will still use Yu'ebao.

312 Many pioneers have used their blood and tears to debug Defi's position loss, which has promoted further discussions and developments in this field. This time, hackers withdraw funds for two consecutive days, which will surely further promote more discussions and developments in this field.

Theoretically speaking, it is true that you should not give up eating because of choking, because the direction of Defi is absolutely right. However, I will say this as a bystander and observer in the future, and the participation will be a little less, and a little less.

Admit it, stay safe.

It is not easy to live safely in the currency circle until the next bull market. Don't be greedy for cheap things, keep the degree of participation in new trends and new projects, and focus on observation and follow-up.

Coins, it is best to keep them in your wallet.