POST-MORTEM
To the Force and DeFi community, we'd like to share a post-mortem on the recent xFORCE exploit.
Thanks to everyone technical and non-technical who helped along the way.
Especially to the White Hat who helped deter FORCE getting drained.
blog.forcedao.com/xforce-exploit…
To the Force and DeFi community, we'd like to share a post-mortem on the recent xFORCE exploit.
Thanks to everyone technical and non-technical who helped along the way.
Especially to the White Hat who helped deter FORCE getting drained.
blog.forcedao.com/xforce-exploit…
1/We take responsibility for this engineering oversight and have begun processes to ensure any such incidents are mitigated in the future.
All funds on our platform are safe, only xFORCE was affected.
A total of 183 ETH (~$367K) worth of FORCE were drained and liquidated.
All funds on our platform are safe, only xFORCE was affected.
A total of 183 ETH (~$367K) worth of FORCE were drained and liquidated.
2/For the time being, we can only confirm that there will be a snapshot and new token.
We’ve begun internal re-structuring and will be announcing a plan over the coming days making any affected FORCE holders and LPs whole.
Here's a timeline of events...
We’ve begun internal re-structuring and will be announcing a plan over the coming days making any affected FORCE holders and LPs whole.
Here's a timeline of events...
3/
#1 White Hat (~6:18 AM UTC)
Identifies exploit and begins collecting funds, which are sent to the Force multisig hours later.
Address
etherscan.io/address/0xf88a…
#1 White Hat (~6:18 AM UTC)
Identifies exploit and begins collecting funds, which are sent to the Force multisig hours later.
Address
etherscan.io/address/0xf88a…
4/
#2 Black Hat (07:17 AM UTC)
Mints, drains and sells FORCE for ~80 ETH
etherscan.io/tx/0x03c84e3f7…
#2 Black Hat (07:17 AM UTC)
Mints, drains and sells FORCE for ~80 ETH
etherscan.io/tx/0x03c84e3f7…
5/
#3 Black Hat (07:20 AM UTC)
Mints, drains and sells FORCE for ~8 ETH
etherscan.io/address/0xe29a…
#3 Black Hat (07:20 AM UTC)
Mints, drains and sells FORCE for ~8 ETH
etherscan.io/address/0xe29a…
6/
#4 Black Hat (07:20 AM UTC)
Mints, drains and sells FORCE for ~50 ETH
etherscan.io/address/0x0608…
#4 Black Hat (07:20 AM UTC)
Mints, drains and sells FORCE for ~50 ETH
etherscan.io/address/0x0608…
7/
#5 Black Hat (07:20 AM UTC)
Mints, drains and sells FORCE for ~45 ETH
etherscan.io/address/0x0000…
#5 Black Hat (07:20 AM UTC)
Mints, drains and sells FORCE for ~45 ETH
etherscan.io/address/0x0000…
8/
#5 Force DAO Team
Burning FORCE tokens off the exploiter's wallet:
3/5 exploiters still had FORCE tokens in their addresses, and were able to sell for ETH.
An executive decision was made at around 8am EST, to transfer 60M FORCE tokens from the treasury multisig into a ...
#5 Force DAO Team
Burning FORCE tokens off the exploiter's wallet:
3/5 exploiters still had FORCE tokens in their addresses, and were able to sell for ETH.
An executive decision was made at around 8am EST, to transfer 60M FORCE tokens from the treasury multisig into a ...
9/
deployer wallet to create and execute 3 votes that would effectively burn the FORCE balances in the 3 Black Hat addresses.
This is the first txn:
etherscan.io/tx/0xb02206a51…
deployer wallet to create and execute 3 votes that would effectively burn the FORCE balances in the 3 Black Hat addresses.
This is the first txn:
etherscan.io/tx/0xb02206a51…
10/
ANALYSIS (1/3)
The xFORCE vault is a xSUSHI contract fork. The implementation used assumes tokens revert the transaction on failure. github.com/ForceDAO/contr…
ANALYSIS (1/3)
The xFORCE vault is a xSUSHI contract fork. The implementation used assumes tokens revert the transaction on failure. github.com/ForceDAO/contr…
11/
ANALYSIS (2/3)
The token used by Force DAO is an Aragon Minime token that returns a false bool if “transferFrom” fails (instead of reverting).
github.com/aragon/minime/…
ANALYSIS (2/3)
The token used by Force DAO is an Aragon Minime token that returns a false bool if “transferFrom” fails (instead of reverting).
github.com/aragon/minime/…
12/
ANALYSIS (3/3)
The exploiters were able to deposit FORCE tokens that would fail the transferFrom call and receive xFORCE tokens, as the xFORCE contract expects a revert from the token but instead receives false.
And then withdraw these newly minted xFORCE tokens for the ..
ANALYSIS (3/3)
The exploiters were able to deposit FORCE tokens that would fail the transferFrom call and receive xFORCE tokens, as the xFORCE contract expects a revert from the token but instead receives false.
And then withdraw these newly minted xFORCE tokens for the ..
13/
remaining FORCE tokens in the vault, and liquidate them for ETH on exchanges.
This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.
remaining FORCE tokens in the vault, and liquidate them for ETH on exchanges.
This could’ve been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract.
14/
WHO WAS AFFECTED?
Force, xForce, and Force/ETH LPs on UniSwap and SushiSwap were affected.
- - - - - - - - - - - - - - --
*ForceDAO strategy, vault and reward pool contracts were not affected.
WHO WAS AFFECTED?
Force, xForce, and Force/ETH LPs on UniSwap and SushiSwap were affected.
- - - - - - - - - - - - - - --
*ForceDAO strategy, vault and reward pool contracts were not affected.
15/
NEXT STEPS
We’re currently engaged with 2 separate security firms to review and analyze our repos to ensure all contract systems perform as designed.
Over the coming days, our team will announce a plan to re-launch xFORCE — with a snapshot and new token. We continue to...
NEXT STEPS
We’re currently engaged with 2 separate security firms to review and analyze our repos to ensure all contract systems perform as designed.
Over the coming days, our team will announce a plan to re-launch xFORCE — with a snapshot and new token. We continue to...
16/
investigate the event with the relevant authorities as some of the addresses originated from FTX and Binance.
This incident will only make us stronger, as a team of builders and a community. And we look forward to sharing the new products we've been working on.
Thanks
investigate the event with the relevant authorities as some of the addresses originated from FTX and Binance.
This incident will only make us stronger, as a team of builders and a community. And we look forward to sharing the new products we've been working on.
Thanks
• • •
Missing some Tweet in this thread? You can try to
force a refresh
