In brief

  • Hackers have begun returning over $25 million in funds taken from Chinese DeFi platform dForce.
  • Around $2.6 million has been returned to dForce, after the stolen funds were blacklisted by exchanges.
  • The hack took advantage of a known vulnerability in the ERC-777 token standard.

Hackers who siphoned over $25 million from Chinese DeFi platform dForce have started returning the now-blacklisted funds after failing to sell them.

Their change of heart was far from altruistic, however; the hackers found themselves at a loss after several exchanges blacklisted the funds. Unable to unload their stolen capital, the hackers reached out to dForce to strike up a deal.

"The hacker(s) have attempted to contact us and we intend to enter into discussions with them," dForce founder Mindao Yang noted in a blog post published yesterday.

It seems those negotiations went well, as some of the stolen funds appear to have been returned. According to crypto researcher ‘Frank Topbottom’, the hackers repaid 320 Huobi BTC—an ERC-20 version of Bitcoin—and 381,000 Huobi USD.

While that only amounts to around $2.6 million—around 10% of the funds stolen in the hack—it's still a somewhat promising start.

How was dForce hacked?

On April 14, hackers exploited a known vulnerability within the ERC-777 token standard—using a "reentrancy attack" to drain $25 million from various DeFi protocols within the dForce network. 

The same exploit was also used to funnel $300,000 from decentralized exchange Uniswap on Saturday.

But here's the kicker. The exploit was almost exactly the same as that used in the infamous DAO hack of 2016. On top of this, an audit of Uniswap—undertaken by ConsenSys well over a year ago—already revealed the vulnerability, dubbing it a "major" issue.

Let's just hope it doesn't take another hack for the loophole to get patched up this time.