Decentralized finance (DeFi) platform dForce has lost $25 million in a hack, which is 99% of its assets. This happened only a day after Uniswap lost $300,000 in a hack as well. It appears both hacks are linked to the imBTC token, which is a wrapped version of Bitcoin (BTC) created by imToken that is apparently not secure.
Specifically, imBTC is an ERC-777 token, and it can be exploited via reentrancy attacks since ERC-777 executes contracts when it receives tokens, unlike ERC-20 which only executes contracts if it receives Ethereum (ETH).
To make a complicated story short, the hacker was able to call the smart contract and withdraw the funds before the external balance could be updated, leading to a cycle where all the tokens could be purchased for pennies.
Shockingly, this ERC-777 exploit was known about 16 months ago. Even worse, the Uniswap imBTC hack happened a day before dForce was hacked and if dForce was paying attention they would have had time to prevent the $25 million hack.
Ultimately, it appears this is a relatively isolated incident in the DeFi world, since it was due to a single token, imBTC, lacking security. However, it goes to show that even one unsecure piece of a DeFi platform can lead to all of the funds being drained, and this is a lesson that DeFi platforms and crypto exchanges need to be very careful about which tokens they offer.