On April 19th, Mindao Yang, founder of dForce, confessed that $25 million crypto had been stolen from his platform.
In a blog post, Yang said Lendf.Me, the lending protocol of dForce, was attacked and a vulnerability was exploited to steal the digital assets.
Today, it is being reported that the crypto has been returned.
According to the BBC, $10m in Ethereum, $10m in stablecoins and $4m in other coins have now been returned.
Yang took the blame for the hack:
“This attack was my failure. While I did not execute it, I should have anticipated it and taken actions to prevent it. My heart goes out to everyone harmed, and I will do everything in my power to make this right. I sincerely apologize to our users, to our new investors, and to my team for letting them down.”
A blog post by Peckshield explained how the crypto was stolen:
“Technically, the main logic behind these two incidents is the incompatibility between ERC777 and those DeFi smart contracts, which might be misused by the attacker to utterly hijack a normal transaction and perform additional illicit operations.”
In a later post, Yang said he is planning a more detailed update on the theft.
Via Twitter, Lendf.Me indicated it had created a separate recovery account for future distribution of the funds.
Dear Users: We are about to move all hacked funds from https://t.co/XwcnxztZnW Admin to a seperate recovery account for furture distribution.
Below is the address for the recovery account: https://t.co/alxsqhIQmd
— Lendf.Me (@LendfMe) April 21, 2020