April 4, 2021: Unforced Error ⚾️😳

The ForceDAO giveaway continues, in a manner of speaking...

DeFi

Remember ForceDAO? Just last month Curve users thought they’d stumbled upon El Dorado — una ciudad legendaria de oro. Trade in your beef bouillon for gold bullions, we’re eating out on town tonight!

Force @force_dao

ATTENTION Our team is aware of the xFORCE contract exploit and has identified the nature of the issue. There are no further funds available on the xFORCE contract to be exploited. All other vaults are safe. We will provide a post-mortem and next steps over the coming hours.

9:39 AM ∙ Apr 4, 2021

---

Well, this morning we found out what happens when an unmovable hacker meets a highly stoppable Force.

The General || Cleetus @CleetusGeneral

Watching force ‘xforce’ vault get drained like like a pool of water in a sink.

7:15 AM ∙ Apr 4, 2021

---

Look through the following function. Even if you can’t code you can still follow the logic here. Imagine calling this function and asking for xForce, but you don’t have any Force. In other words, force.balanceOf(msg.sender) == 0

Well, there’s no such check for anything that. It’s an ATM that doesn’t bother reading your card… it’s open season!

Mudit Gupta @Mudit__Gupta

xFORCE contract from @force_dao hacked and drained by a whitehacker. In the FORCE token, the transfer functions return false rather than reverting when the sender doesn't have enough balance. The xFORCE contract assumes FORCE will revert and does not handle the returned value.

8:52 AM ∙ Apr 4, 2021

---

Fortunately, for the Force team, the hack could have been much worse. The exploit was discovered by a white hat hacker, who drained about $10MM worth of $Force.

defiOWL @OwOtrades

This seems to be the exploiter for $XFORCE etherscan.io/address/0x9d9c… > Minted $XFORCE > Withdrew $FORCE using minted $XFORCE > Sold $FORCE through 1inch Don't seem to really care about opsec seeing how the initial funds are seeded from FTX 🤷‍♂️

7:38 AM ∙ Apr 4, 2021

---

Two other users managed to swipe about $250K, but they used addresses associated with Binance and FTX, making it possible they funds may yet be recovered.

Igor Igamberdiev @FrankResearcher

5/5 Apparently, these hackers were in such a hurry that they used addresses associated with exchanges, which gives quite a lot of hope for a return of all funds.

9:01 AM ∙ Apr 4, 2021

---

Trading was halted, albeit in a sort of “does the unheard tree falling make a sound” type of manner.

VEOMaximalist (KZ) @CryptoMaestro

Nobody: ForceDAO: okay can you guys stop trading

10:41 AM ∙ Apr 4, 2021

---

Within the world of DeFi hacks, this one was too small to really impress. Millions of dollars sitting in the middle of Times Square, and 98% stays safe? That’s more like a bug bounty, when what DeFi fans really wanted was fireworks.

rekt @RektHQ

A white hat is not white if nobody can see it. The community rugged itself, now even airdrops can cost you money. @force_dao - the smallest airdrop followed by the most unremarkable hack.

rekt.newsRekt - Force - REKTDeFi / Crypto - A white hat is not white if nobody can see it. The community rugged itself. Force DAO - the smallest airdrop followed by the most unremarkable hack.

9:22 AM ∙ Apr 4, 2021

---

Indeed, even before the hack, users were already salty about the free money being handed out by Force.

state.eth @statelayer

force doing overtime to outdo auc for the spot of worse airdrop of the month

7:41 AM ∙ Apr 4, 2021

---

Most users got about $100-$200, making it not worth the gas to claim.

banteg @bantg

The smallest airdrop ever created.

10:30 PM ∙ Apr 3, 2021

---

BillyBulltardo @bulltardo

i may have actually lost money claiming and selling this

11:24 PM ∙ Apr 3, 2021

At the moment DeFi is so flush with cash that beggars can afford to be choosers. A few hundred dollars buys your project nothing but discontent among the malcontents. If you want to get the masses excited, don’t just give away money, get people some free spins at the wheel to get the gambling juices flowing.

For instance, consider the much lauded Ellipsis Finance giveaway. The benevolent Curve fork’s giveaway has been received very positively; not only buying goodwill but converting longtime BSC skeptics into power users. Over 80% of the first two airdrops have been already claimed

Claiming $EPS instantly destroys 50% the airdrop’s $EPS value, but with an APY currently sitting at >2000% degens are gambling that this would pay itself back in just two weeks. This is plenty long enough to grab the attention of the wider degen community and shoot Ellipsis Finance to the top of the leaderboards.

Of course, much of this APY is likely being driven directly by people making these claims. This 50% burn simply gets reshuffled amongst everybody and labeled as earnings. You get your free money back, maybe more, maybe less. But can you really put a price on endorphins?

Curve Market Cap @CurveCap

Poll for $veCRV holders: what are you doing with your @Ellipsisfi claims?

11:08 AM ∙ Apr 2, 2021

---

---

For more info, check our live market data at https://curvemarketcap.com/ or our subscribe to our daily newsletter at https://curve.substack.com/. Nothing in our newsletter can be construed as financial advice. Author is a Curve maximalist, but has no interest in ForceDAO.