April 18, 2020 will be remembered as one of the darkest days in the early history of decentralized finance. The dForce network, a DeFi lending protocol backed by Multicoin Capital, was drained of virtually all its assets in a sophisticated exploit that saw approximately $25 million worth of Bitcoin and Ethereum stolen in a matter of minutes.
The attack targeted Lendf.Me, dForce’s flagship lending platform, and exploited a critical vulnerability related to imBTC — an ERC-20 token pegged to Bitcoin and operated by TokenLon. The breach was devastating in its completeness: dForce lost 100% of its locked assets, leaving depositors with nothing and sending shockwaves through the nascent DeFi ecosystem.
TL;DR
- dForce’s Lendf.Me protocol was exploited for $25 million in BTC and ETH on April 18, 2020
- The attack exploited a reentrancy vulnerability in imBTC, an ERC-20 tokenized Bitcoin on Ethereum
- The same vulnerability was used to drain approximately $300,000 from Uniswap’s imBTC liquidity pool
- dForce lost 100% of its total value locked, becoming one of the worst DeFi hacks at the time
- The protocol was backed by Multicoin Capital and had been considered a rising star in DeFi
How the Attack Unfolded
The exploit leveraged a reentrancy attack — one of the most well-known vulnerability types in smart contract security. The attacker manipulated imBTC, a tokenized version of Bitcoin on the Ethereum blockchain, to repeatedly withdraw funds from Lendf.Me’s lending pools before the contract could update its internal balance records.
Lendf.Me had integrated imBTC as a supported collateral asset in January 2020, giving users the ability to lend and borrow against their tokenized Bitcoin holdings. While the integration expanded dForce’s market appeal, it also introduced a critical attack vector that would prove catastrophic just three months later.
The scope of the damage was staggering. Data from DeFi Pulse confirmed that dForce’s total value locked dropped to effectively zero following the exploit. Every single asset in the protocol — Bitcoin, Ethereum, and various ERC-20 tokens — was siphoned out by the attacker.
The Uniswap Connection
The dForce exploit was not an isolated incident. Just before the Lendf.Me attack, the same vulnerability was used to drain approximately $300,000 worth of tokens from Uniswap’s imBTC liquidity pool. The dual attacks highlighted the systemic risks that shared token integrations can create across interconnected DeFi protocols.
In response to the Uniswap exploit, TokenLon, the team behind imBTC, temporarily suspended imBTC transfers. However, the damage to dForce had already been done. The incident served as a stark reminder that a vulnerability in a single token standard can cascade across multiple protocols simultaneously.
Broader Implications for DeFi Security
The dForce hack occurred during a period of explosive growth for DeFi. Total value locked in DeFi protocols had been climbing steadily, attracting both legitimate capital and malicious actors. The attack raised fundamental questions about the security practices of rapidly deployed DeFi protocols and the due diligence being performed on token integrations.
At the time of the exploit, Bitcoin was trading around $7,257 and Ethereum at approximately $187 according to CoinMarketCap data. The $25 million loss represented a significant portion of the total DeFi market at the time, underscoring how concentrated risk was in a relatively small number of protocols.
The attack also drew attention to the risks of composability — one of DeFi’s most celebrated features. While the ability to seamlessly combine different protocols and tokens creates powerful financial products, it also means that a single point of failure can trigger cascading failures across the ecosystem.
Why This Matters
The dForce exploit was a watershed moment for DeFi security. It demonstrated that even protocols backed by major venture capital firms and audited by security researchers could harbor critical vulnerabilities. The incident accelerated the development of formal verification tools, bug bounty programs, and more rigorous auditing standards that would become standard practice in the DeFi industry.
In a remarkable twist, the hacker ultimately returned the stolen funds to dForce on April 21, 2020, after the team publicly appealed and researchers traced the attacker’s activities. However, the damage to dForce’s reputation was lasting, and the protocol struggled to recover user trust in the months that followed.
The lessons from the dForce hack continue to resonate in the DeFi space. Every major protocol hack since — from Poly Network to Ronin Bridge — has echoed the same fundamental truth: security is not a feature that can be added after the fact. It must be woven into the fabric of every smart contract from the very first line of code.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Past performance is not indicative of future results. Always conduct your own research before making investment decisions.
100% of TVL drained. not 30%, not 50%. everything. dforce was a smoking crater after this one
the same imBTC vulnerability hit uniswap for 300k right before lendf.me got wrecked for 25M. token integrations are shared attack surface
multicoin backed and still got rekt. vc money doesnt equal security audits apparently