The person(s) that attacked Lendf.Me, the lending protocol in the “decentralized finance protocol” dForce network – actually returned the money they had stolen, allegedly because they broke the number one rule in hacking: don’t reveal your identity.
As reported yesterday, Lendf.Me was attacked on Sunday and a whopping USD 25.2 million were drained from. This was done through a sophisticated – and known – reentrancy vulnerability that enables a hacker to withdraw imBTC (an Ethereum token valued at 1:1 rate with bitcoin (BTC) ) repeatedly.
Yet, in a peculiar turn of events, it seems that the attacker has returned the stolen funds. Already yesterday we saw reports that the attacker has been returning certain amounts of funds, but it wasn’t clear why this move was made. More of such reports started coming in today as well, turning out that the attacker returned all the stolen funds in the end.
tfw when my ethics are even lower than a hacker pic.twitter.com/ksmwTaPJqH
— 찌 G 跻 じ ⚡️ (@DegenSpartan) April 21, 2020