dForce Lending

2018-01-01

dForce founded by Mindao Yang in China as an integrated open finance protocol.

2019-01-01

dForce Foundation established; Lendf.Me lending market launched.

2020-01-01

The Block reports that dForce's Lendf.Me contracts contain unattributed references to Compound Finance code; attribution later added after press inquiry.

2020-04-14

Multicoin Capital announces $1.5M seed investment in dForce, with Huobi Capital and CMBI as co-investors.

2020-04-19

Lendf.Me exploited via ERC-777 reentrancy attack; approximately $25 million in assets drained. dForce pauses contracts and takes website offline.

2020-04-20

1inch exchange reports the attacker exposed their Chinese IP address and device fingerprint. Attacker begins symbolic PAX token peace transactions totaling ~$250,000 to dForce, 1inch, and ParaSwap.

2020-04-22

Compound's Robert Leshner and Kava Labs' Brian Kerr publicly allege dForce copied Compound's code without authorization or understanding.

2020-04-25

Attacker returns full ~$25 million to dForce. Huobi-issued assets worth ~$2.6M were the first to be returned.

2020-05-04

dForce confirms 100% of recovered funds redistributed to affected Lendf.Me users.

2021-04-09

ConsenSys Diligence publishes dForce Lending Protocol audit, flagging Owner role as single point of failure with unchecked power to drain user funds, and governance transition as untested.

2023-02-09

dForce Lending exploited via read-only reentrancy on Curve wstETH/ETH vault on Arbitrum and Optimism; $3.65 million drained.

2023-02-13

Attacker self-identifies as a whitehat, returns all $3.65 million to dForce multi-sig wallets in exchange for a bug bounty; dForce drops threatened law enforcement action.