Lendf.me

2018-01-01

Mindao Yang founds dForce Network in late 2018 as a China-based open finance protocol.

2019-09-01

Lendf.me lending protocol launches as a fork of Compound v1, initially supporting a limited set of Ethereum assets.

2020-04-14

dForce announces a $1.5 million strategic funding round led by Multicoin Capital, with Huobi Capital and CMBI participating.

2020-04-19

At approximately 12:58 AM UTC, attacker (EOA: 0xa9bf70a420d364e923c74448d9d817d3f2a77822) begins exploiting the ERC-777 reentrancy vulnerability. By 9:15 AM UTC+8, dForce discovers the attack. Lendf.me contracts are paused approximately one hour after the exploit begins. Approximately $25.2 million (~99.95% of TVL) is drained across 12 liquidity pools.

2020-04-20

dForce files a police report with Singapore authorities. The attacker's identifying metadata — including IP address and device fingerprint — is obtained from a CDN provider via subpoena. The attacker returns approximately $2.79 million as a first partial repayment.

2020-04-21

The attacker returns the remaining stolen funds, completing near-total restitution. dForce opens its Asset Recovery System for user withdrawals.

2020-04-27

dForce reports that over 90% of recovered assets have been redistributed to users and that 100% of affected users will be made whole.

2020-05-01

dForce publishes the 'Better Future' Proposal announcing 2,000,000 DF token airdrop to hack-affected users, creation of the dSAFU insurance fund with 50,000,000 DF tokens, and security improvement commitments. The original Lendf.me contract is permanently deprecated.

2021-03-01

Trail of Bits publishes a security audit of the redesigned dForce Lending protocol, reflecting post-incident security improvements.