April 5th, 2021
On April 4, 2021, the ForceDAO DeFi aggregator was exploited by one white-hat and four black-hat hackers. The malicious attackers were able to steal FORCE tokens worth 183 ETH or about $367K before the ForceDAO team took action to block further attacks.
Like any program, smart contracts can experience errors. A common issue that Solidity developers face is properly handling these errors.
When the ERC20 protocol was developed, there was an argument over how errors in token transfers should be handled. The two options were:
When the ERC20 standard was finalized, the community had not come to an agreement on which error handling method to choose, meaning that both options are considered “valid”. This places the burden on the developer to ensure that their code properly handles errors.
The ForceDAO hack was made possible by a mismatch in two components within the ForceDAO ecosystem:
While this mismatch doesn’t matter in normal circumstances, it creates a vulnerability in error cases. If a deposit into the xFORCE vault fails, the deposited tokens will remain in the sender’s wallet.
However, on the vault’s side, the sender will receive xFORCE tokens in exchange because the code assumes that, if it’s still running after the transfer (i.e. a revert didn’t happen), that the transfer went through successfully.
The ForceDAO attackers took advantage of this vulnerability. By performing a deposit of FORCE tokens that was doomed to fail, they received xFORCE tokens. These xFORCE tokens could then be exchanged for any FORCE tokens deposited in the vault by other users.
The ForceDAO ecosystem was built using code from multiple sources, resulting in a solution containing vulnerabilities that have been known about for years. These vulnerabilities could have been detected and fixed through an in-depth smart contract audit, which should have identified the mismatch or detected the lack of error handling code after the transfer (i.e. checking for a return value of false).
If you want to learn more about Halborn’s smart contract auditing services, get in touch at firstname.lastname@example.org.