Verify a decision

{"actor":"system:backfill","investigation_id":"fd4accb8-ef66-4cb4-8098-1c1b4719b81a","kind":"publish","page_slug":"dforce-network","published_at":"2026-05-31T06:59:20.371Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"dForce Network","sections":[{"content":"On April 19, 2020, dForce's lending protocol Lendf.Me was drained of approximately $25 million in assets via an ERC-777 reentrancy attack. The attack exploited a vulnerability arising from Lendf.Me's integration of imBTC, a synthetic Bitcoin token implementing the ERC-777 token standard. ERC-777 tokens include a callback hook that fires during token transfers, allowing a recipient contract to execute arbitrary code before the sender's balance is updated. The attacker used this callback to re-enter Lendf.Me's supply function, artificially inflating their recorded collateral balance without depositing actual tokens. After constructing a fraudulent collateral position, the attacker withdrew all available liquidity across 12 lending markets. ConsenSys had identified this same class of vulnerability in a public audit of Uniswap v1 approximately 16 months before the attack, rating it a major risk. Compound CEO Robert Leshner publicly alleged that Lendf.Me's code was copied from Compound v1 without full understanding of the codebase, with the word 'Compound' reportedly appearing four times in dForce's contracts. Mindao Yang accepted personal responsibility in an initial statement, writing 'This attack was my failure. While I did not execute it, I should have anticipated it and taken actions to prevent it.'","heading":"April 2020 Lendf.Me Exploit ($25 Million)","severity":"critical","sources":[{"credibility":2,"name":"Hackers just tapped China's dForce for $25 million in Ethereum exploit — Decrypt","type":"news_article","url":"https://decrypt.co/26033/dforce-lendfme-defi-hack-25m"},{"credibility":2,"name":"A Summary of the Attack on Lendf.Me on April 19, 2020 — Mindao Yang / dForce Medium","type":"official","url":"https://medium.com/dforcenet/a-summary-of-the-attack-on-lendf-me-on-april-19-2020-e2f1c5d96640"},{"credibility":2,"name":"How the dForce hacker used reentrancy to steal 25 million — Quantstamp","type":"research","url":"https://quantstamp.com/blog/how-the-dforce-hacker-used-reentrancy-to-steal-25-million"},{"credibility":2,"name":"The Reentrancy Strikes Again — The Case of Lendf.Me — Valid Network","type":"research","url":"https://valid.network/post/the-reentrancy-strikes-again-the-case-of-lendf-me"},{"credibility":2,"name":"DForce Hacker Returns Stolen Money as Criticism of the Project Continues — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/dforce-hacker-returns-stolen-money-as-criticism-of-the-project-continues"},{"credibility":1,"name":"Weekend Attack Drains Decentralized Protocol dForce of $25M in Crypto — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/04/19/weekend-attack-drains-decentralized-protocol-dforce-of-25m-in-crypto"}]},{"content":"The attacker left identifying metadata by accessing 1inch Exchange's CDN-based frontend rather than the IPFS-based version, which logged a consistent Chinese IP address appearing before each exchange transaction used to launder stolen assets. Additional metadata exposed the attacker's device type (Mac), screen resolution, and system language (US English set to 'en-us'). The hacker had used a VPN or proxy server rather than Tor, leaving the underlying IP potentially subpoenable. Singapore Police Force's Criminal Investigations Department formally requested access logs and registration data from 1inch, who cooperated as an exception to their standard privacy policy. The attacker subsequently contacted dForce to negotiate, and by April 21–22, 2020, all approximately $25 million in funds had been returned to Lendf.Me's contracts. By May 4, 2020, dForce had redistributed 100% of recovered funds to affected users. The attacker's specific identity was never publicly disclosed, and no criminal charges were publicly announced.","heading":"Attacker Identification and Fund Recovery (April 2020)","severity":"high","sources":[{"credibility":2,"name":"1inch did the best to help recover $25M stolen from dForce ecosystem — 1inch Blog","type":"official","url":"https://1inch.com/blog/post/1inch-helps-recover-25m-stolen-from-dforce-ecosystem/"},{"credibility":2,"name":"DForce Hacker Attempts to Negotiate After Allegedly Leaking His Identity — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/dforce-hacker-attempts-to-negotiate-after-allegedly-leaking-his-identity"},{"credibility":2,"name":"dForce Attacker Returns All of the $25 Million in Stolen Funds — BeInCrypto","type":"news_article","url":"https://beincrypto.com/dforce-attacker-returns-all-of-the-25-million-in-stolen-funds/"},{"credibility":1,"name":"dForce attacker returns all $25M stolen funds back to the DeFi project — The Block","type":"news_article","url":"https://www.theblock.co/post/62530/dforce-attacker-returns-all-25m-stolen-funds-back-to-the-defi"},{"credibility":2,"name":"2 Reasons Why Ethereum DeFi Hacker Returned $25 Million in Hacked Funds — NewsBTC","type":"news_article","url":"https://www.newsbtc.com/news/ethereum/2-reasons-why-ethereum-defi-hacker-returned-25-million-in-hacked-funds/"}]},{"content":"At the time of the April 2020 exploit, Lendf.Me had not undergone a security audit that covered the imBTC ERC-777 integration. The protocol's codebase was alleged by Compound Finance CEO Robert Leshner to be a direct fork of Compound v1 code, with Leshner stating publicly that dForce 'copy/pasted Compound v1 without changes' and that the word 'Compound' appeared four times in the deployed contracts. Leshner alleged the dForce team deployed code they did not fully understand, missing security implications present in the original. ConsenSys had issued a public warning about ERC-777 reentrancy risks in the context of Uniswap v1 approximately 16 months prior to the attack. dForce's initial attack post-mortem from Mindao Yang did not cite any prior comprehensive security audit of Lendf.Me. The absence of a pre-deployment audit of the specific vulnerable contracts is a documented contributing factor to the $25 million loss.","heading":"Prior Audit Status and Code Origin Controversy","severity":"high","sources":[{"credibility":2,"name":"The DeFi Hack: What Decentralized Finance Should and Shouldn't Be — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/the-defi-hack-what-decentralized-finance-should-and-shouldnt-be"},{"credibility":2,"name":"Hackers just tapped China's dForce for $25 million in Ethereum exploit — Decrypt","type":"news_article","url":"https://decrypt.co/26033/dforce-lendfme-defi-hack-25m"},{"credibility":2,"name":"A Summary of the Attack on Lendf.Me on April 19, 2020 — Mindao Yang / dForce Medium","type":"official","url":"https://medium.com/dforcenet/a-summary-of-the-attack-on-lendf-me-on-april-19-2020-e2f1c5d96640"}]},{"content":"On February 9, 2023 at approximately 11:00 PM UTC, dForce's Curve Finance vault on Arbitrum and Optimism was exploited via a read-only reentrancy attack, draining approximately $3.65 million ($1.9 million from Arbitrum, $1.7 million from Optimism). The attacker flash-loaned funds, deposited them into Curve's wstETH/ETH pool, and used the resulting LP tokens as collateral in dForce vaults. By calling Curve's remove_liquidity function, the attacker triggered a reentrancy that manipulated the virtual price used by dForce as its price oracle, enabling liquidation of other users' collateral at artificially deflated prices. ChainSecurity had disclosed this class of vulnerability to Curve and affected protocols on April 14, 2022, and Curve had published a mitigation. Similar attacks had previously exploited Midas Capital and Market.xyz via the same vector. dForce confirmed the incident approximately 90 minutes after an initial alert. The attacker subsequently identified themselves as a whitehat, negotiated a bounty, and returned all $3.65 million to dForce's multi-sig wallets. dForce committed to making affected users whole.","heading":"February 2023 Read-Only Reentrancy Exploit ($3.65 Million)","severity":"critical","sources":[{"credibility":2,"name":"Explained: The dForce Hack (February 2023) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-dforce-hack-february-2023"},{"credibility":1,"name":"DForce protocol drained of $3.6 million in reentrancy attack — The Block","type":"news_article","url":"https://www.theblock.co/post/210518/dforce-protocol-drained-of-3-6-million-in-reentrancy-attack"},{"credibility":2,"name":"DForce confirms the return of exploited $3.65m to their vaults — Crypto.news","type":"news_article","url":"https://crypto.news/dforce-confirms-the-return-of-exploited-3-65m-to-their-vaults/"},{"credibility":2,"name":"Curve Conundrum: The dForce Attack via a Read-Only Reentrancy Vector Exploit — CertiK","type":"research","url":"https://www.certik.com/resources/blog/curve-conundrum-the-dforce-attack-via-a-read-only-reentrancy-vector-exploit"},{"credibility":2,"name":"dForce Network exploited for $3.65 million, funds returned — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/?id=dforce-network-exploited-for-3-65-million-funds-returned"},{"credibility":2,"name":"dForce Network - REKT","type":"news_article","url":"https://rekt.news/dforce-network-rekt"}]},{"content":"Following the April 2020 exploit, dForce published a 'Better Future' recovery proposal authored by Mindao Yang, establishing a path to redistribute recovered funds and rebuild the protocol. By May 4, 2020, all 100% of recovered funds had been redistributed to affected Lendf.Me users. dForce created a dForce Secure Asset Fund for Users (dSAFU), seeded with 50 million DF tokens from the dForce Foundation, with a commitment to direct 10% of future protocol transaction fees into the fund. Over the subsequent years dForce relaunched and expanded, deploying its lending and stablecoin protocols across Ethereum, Arbitrum, Optimism, BSC, Polygon, Avalanche, Conflux, and other chains. As of data available from DeFi analytics sources in 2024, dForce's TVL was approximately $8.69 million, distributed across multiple chains with Conflux ($4.53M) and Ethereum ($3.55M) as the largest. The protocol's DF governance token remains tradeable on major exchanges. dForce has continued to pursue multi-chain expansion and introduced an isolated market model for lending in 2023.","heading":"Post-Exploit Recovery, Relaunch, and Current Operations","severity":"medium","sources":[{"credibility":2,"name":"Lendf.Me Resolution, Part II: dForce Better Future Proposal — Mindao Yang / dForce Medium","type":"official","url":"https://medium.com/dforcenet/lendf-me-resolution-part-ii-dforce-better-future-proposal-76a07b65ca24"},{"credibility":2,"name":"dForce Ecosystem Update — May 2020 — dForce Medium","type":"official","url":"https://medium.com/dforcenet/dforce-ecosystem-update-may-2020-199f2cdfde94"},{"credibility":2,"name":"dForce TVL Stats & Charts — DefiLlama","type":"onchain","url":"https://defillama.com/protocol/dforce"},{"credibility":2,"name":"dForce Price: DF/USD Live Price Chart — CoinGecko","type":"other","url":"https://www.coingecko.com/en/coins/dforce"}]},{"content":"dForce was founded in late 2018 by Mindao Yang and Xin Xu. Mindao Yang serves as Founder and CEO and has a background in traditional finance, including roles at Standard Chartered Principal Finance and Hony Capital focused on high-yield bonds, distressed assets, and restructuring. He also founded Blockpower and Hashingbot before starting dForce. Yang became involved with Bitcoin in 2013 and participated in Ethereum's 2014 ICO. Xin Xu, the co-founder, is separately known as CEO of Sparkpool, described at the time of dForce's founding as the largest Ethereum mining pool globally. Both founders are publicly identified individuals with verifiable professional histories in the Chinese crypto ecosystem. Multicoin Capital, which led the $1.5 million seed round alongside China Merchants Bank International and Huobi Capital in April 2020, described the duo as 'one of the most capable teams in China.'","heading":"Founders and Team","severity":"low","sources":[{"credibility":2,"name":"Exclusive: An interview with dForce founder Mindao Yang — Decrypt","type":"news_article","url":"https://decrypt.co/26069/exclusive-an-interview-with-dforce-founder-mindao-yang"},{"credibility":2,"name":"Our Investment in dForce: The DeFi Super-Network — Multicoin Capital","type":"other","url":"https://multicoin.capital/2020/04/14/our-investment-in-dforce-the-defi-super-network/"},{"credibility":3,"name":"Mindao Yang — Founder & CEO @ dForce — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/mindao-yang"}]},{"content":"dForce has experienced two separate material exploits: the April 2020 Lendf.Me ERC-777 reentrancy attack ($25M) and the February 2023 Curve vault read-only reentrancy attack ($3.65M). In both cases the specific vulnerability exploited was either documented publicly in advance or fell outside the scope of the protocol's existing audits. Following the 2020 hack, dForce pledged to retain top security firms and implement comprehensive auditing before future launches. The 2023 exploit recurrence — leveraging a publicly disclosed vulnerability class from April 2022 — raises questions about the protocol's post-2020 audit coverage of third-party integrations. Both exploits were ultimately resolved with full fund return, either through law enforcement pressure (2020) or whitehat negotiation (2023). The dSAFU insurance fund was established post-2020 as a backstop, though its capitalization relative to protocol TVL has not been independently verified in accessible sources.","heading":"Smart Contract Security Posture","severity":"high","sources":[{"credibility":2,"name":"Explained: The dForce Hack (February 2023) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-dforce-hack-february-2023"},{"credibility":2,"name":"How the dForce hacker used reentrancy to steal 25 million — Quantstamp","type":"research","url":"https://quantstamp.com/blog/how-the-dforce-hacker-used-reentrancy-to-steal-25-million"},{"credibility":2,"name":"dForce Ecosystem Update — April 2020 — dForce Medium","type":"official","url":"https://medium.com/dforcenet/dforce-ecosystem-update-april-2020-f2f620cfe5ed"},{"credibility":3,"name":"Apr 2020 - LendfMe (DForce) DeFi Protocol Breached — Quadriga Initiative","type":"research","url":"https://quadrigainitiative.com/casestudy/dforcelendfmedefiprotocolbreached.php"}]}],"sources_used":[{"name":"A Summary of the Attack on Lendf.Me on April 19, 2020 — Mindao Yang / dForce Medium","type":"official","url":"https://medium.com/dforcenet/a-summary-of-the-attack-on-lendf-me-on-april-19-2020-e2f1c5d96640"},{"name":"Hackers just tapped China's dForce for $25 million in Ethereum exploit — Decrypt","type":"news_article","url":"https://decrypt.co/26033/dforce-lendfme-defi-hack-25m"},{"name":"How the dForce hacker used reentrancy to steal 25 million — Quantstamp","type":"research","url":"https://quantstamp.com/blog/how-the-dforce-hacker-used-reentrancy-to-steal-25-million"},{"name":"1inch did the best to help recover $25M stolen from dForce ecosystem — 1inch Blog","type":"official","url":"https://1inch.com/blog/post/1inch-helps-recover-25m-stolen-from-dforce-ecosystem/"},{"name":"DForce Hacker Attempts to Negotiate After Allegedly Leaking His Identity — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/dforce-hacker-attempts-to-negotiate-after-allegedly-leaking-his-identity"},{"name":"dForce Attacker Returns All of the $25 Million in Stolen Funds — BeInCrypto","type":"news_article","url":"https://beincrypto.com/dforce-attacker-returns-all-of-the-25-million-in-stolen-funds/"},{"name":"dForce attacker returns all $25M stolen funds back to the DeFi project — The Block","type":"news_article","url":"https://www.theblock.co/post/62530/dforce-attacker-returns-all-25m-stolen-funds-back-to-the-defi"},{"name":"DForce Hacker Returns Stolen Money as Criticism of the Project Continues — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/dforce-hacker-returns-stolen-money-as-criticism-of-the-project-continues"},{"name":"The DeFi Hack: What Decentralized Finance Should and Shouldn't Be — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/the-defi-hack-what-decentralized-finance-should-and-shouldnt-be"},{"name":"Lendf.Me Resolution, Part II: dForce Better Future Proposal — Mindao Yang / dForce Medium","type":"official","url":"https://medium.com/dforcenet/lendf-me-resolution-part-ii-dforce-better-future-proposal-76a07b65ca24"},{"name":"dForce Ecosystem Update — April 2020 — dForce Medium","type":"official","url":"https://medium.com/dforcenet/dforce-ecosystem-update-april-2020-f2f620cfe5ed"},{"name":"Our Investment in dForce: The DeFi Super-Network — Multicoin Capital","type":"other","url":"https://multicoin.capital/2020/04/14/our-investment-in-dforce-the-defi-super-network/"},{"name":"Exclusive: An interview with dForce founder Mindao Yang — Decrypt","type":"news_article","url":"https://decrypt.co/26069/exclusive-an-interview-with-dforce-founder-mindao-yang"},{"name":"Explained: The dForce Hack (February 2023) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-dforce-hack-february-2023"},{"name":"DForce protocol drained of $3.6 million in reentrancy attack — The Block","type":"news_article","url":"https://www.theblock.co/post/210518/dforce-protocol-drained-of-3-6-million-in-reentrancy-attack"},{"name":"DForce confirms the return of exploited $3.65m to their vaults — Crypto.news","type":"news_article","url":"https://crypto.news/dforce-confirms-the-return-of-exploited-3-65m-to-their-vaults/"},{"name":"Curve Conundrum: The dForce Attack via a Read-Only Reentrancy Vector Exploit — CertiK","type":"research","url":"https://www.certik.com/resources/blog/curve-conundrum-the-dforce-attack-via-a-read-only-reentrancy-vector-exploit"},{"name":"dForce Network exploited for $3.65 million, funds returned — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/?id=dforce-network-exploited-for-3-65-million-funds-returned"},{"name":"dForce Network - REKT","type":"news_article","url":"https://rekt.news/dforce-network-rekt"},{"name":"Weekend Attack Drains Decentralized Protocol dForce of $25M in Crypto — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/04/19/weekend-attack-drains-decentralized-protocol-dforce-of-25m-in-crypto"},{"name":"The Reentrancy Strikes Again — The Case of Lendf.Me — Valid Network","type":"research","url":"https://valid.network/post/the-reentrancy-strikes-again-the-case-of-lendf-me"},{"name":"Apr 2020 - LendfMe (DForce) DeFi Protocol Breached — Quadriga Initiative","type":"research","url":"https://quadrigainitiative.com/casestudy/dforcelendfmedefiprotocolbreached.php"},{"name":"dForce TVL Stats & Charts — DefiLlama","type":"onchain","url":"https://defillama.com/protocol/dforce"},{"name":"dForce Price: DF/USD Live Price Chart — CoinGecko","type":"other","url":"https://www.coingecko.com/en/coins/dforce"},{"name":"Mindao Yang — Founder & CEO @ dForce — Crunchbase","type":"other","url":"https://www.crunchbase.com/person/mindao-yang"}],"summary":"dForce Network is a China-founded DeFi protocol suite offering lending, stablecoin, and trading products, founded in late 2018 by Mindao Yang and Xin Xu. The protocol suffered two significant security incidents: a $25 million ERC-777 reentrancy exploit in April 2020 and a $3.65 million read-only reentrancy attack in February 2023, with funds returned in both cases. Despite recovering from both exploits and continuing to operate across multiple chains, the protocol's pattern of deploying code without fully auditing all integrated components remains a documented risk factor.","timeline":[{"date":"2018-12-01","event":"dForce Network founded in China by Mindao Yang and Xin Xu as a DeFi protocol suite.","source":"Decrypt interview with Mindao Yang","source_url":"https://decrypt.co/26069/exclusive-an-interview-with-dforce-founder-mindao-yang"},{"date":"2020-01-01","event":"Lendf.Me integrates imBTC (ERC-777 token) as collateral, introducing the reentrancy vulnerability that would be exploited.","source":"Hackers just tapped China's dForce for $25 million — Decrypt","source_url":"https://decrypt.co/26033/dforce-lendfme-defi-hack-25m"},{"date":"2020-04-14","event":"Multicoin Capital leads a $1.5 million seed round in dForce, with China Merchants Bank International and Huobi Capital co-investing.","source":"Our Investment in dForce — Multicoin Capital","source_url":"https://multicoin.capital/2020/04/14/our-investment-in-dforce-the-defi-super-network/"},{"date":"2020-04-19","event":"Lendf.Me exploited via ERC-777 reentrancy attack. Approximately $25 million drained from 12 lending markets. dForce team discovers the breach at 9:15 AM UTC+8 and pauses the protocol.","source":"A Summary of the Attack on Lendf.Me — Mindao Yang / dForce Medium","source_url":"https://medium.com/dforcenet/a-summary-of-the-attack-on-lendf-me-on-april-19-2020-e2f1c5d96640"},{"date":"2020-04-20","event":"Attacker attempts to negotiate with dForce. 1inch Exchange identifies the attacker's Chinese IP address via CDN access logs. Singapore Police Force's Criminal Investigations Department formally requests attacker data from 1inch.","source":"DForce Hacker Attempts to Negotiate After Allegedly Leaking His Identity — CoinTelegraph","source_url":"https://cointelegraph.com/news/dforce-hacker-attempts-to-negotiate-after-allegedly-leaking-his-identity"},{"date":"2020-04-21","event":"Attacker begins returning stolen funds to Lendf.Me contracts.","source":"dForce Attacker Returns All of the $25 Million — BeInCrypto","source_url":"https://beincrypto.com/dforce-attacker-returns-all-of-the-25-million-in-stolen-funds/"},{"date":"2020-04-22","event":"Substantially all $25 million in stolen funds confirmed returned to dForce. Criticism mounts regarding copied Compound code and absence of audit coverage.","source":"DForce Hacker Returns Stolen Money as Criticism of the Project Continues — CoinTelegraph","source_url":"https://cointelegraph.com/news/dforce-hacker-returns-stolen-money-as-criticism-of-the-project-continues"},{"date":"2020-05-04","event":"dForce redistributes 100% of recovered funds to Lendf.Me users. All affected users made whole.","source":"dForce Ecosystem Update — April 2020 — dForce Medium","source_url":"https://medium.com/dforcenet/dforce-ecosystem-update-april-2020-f2f620cfe5ed"},{"date":"2022-04-14","event":"ChainSecurity discloses read-only reentrancy vulnerability in Curve pools to Curve and affected protocols. Curve publishes a mitigation. dForce's Curve vault integration is not patched in time.","source":"Explained: The dForce Hack (February 2023) — Halborn","source_url":"https://www.halborn.com/blog/post/explained-the-dforce-hack-february-2023"},{"date":"2023-02-09","event":"dForce's Curve vault on Arbitrum and Optimism exploited via read-only reentrancy. Approximately $3.65 million drained ($1.9M Arbitrum, $1.7M Optimism).","source":"DForce protocol drained of $3.6 million in reentrancy attack — The Block","source_url":"https://www.theblock.co/post/210518/dforce-protocol-drained-of-3-6-million-in-reentrancy-attack"},{"date":"2023-02-13","event":"Attacker self-identifies as a whitehat, negotiates a bounty with dForce, and returns all $3.65 million to dForce multi-sig wallets.","source":"DForce confirms the return of exploited $3.65m to their vaults — Crypto.news","source_url":"https://crypto.news/dforce-confirms-the-return-of-exploited-3-65m-to-their-vaults/"}]},"v":1}