Nobody saw the white hat until it was too late.
The FORCE community rugged itself.
At 08:50 UTC the following message was posted in the Force DAO Discord.
We were alerted that a bug was found in the FORCE/xFORCE contract. The individual, for the safety of the token, removed all of them while getting in contact with us. We are all wide awake and working on this. With that, please do not attempt to trade FORCE tokens at this time while we address the situation.
Unfortunately, the message came too late - the community had already dumped their tokens, and the white hat hacker was left holding the bag.
FORCE price fell 90% in a matter of minutes.
Minted 347,432,986 xFORCE 0xdf05020d5d3c3a975627ce29f24b4eb8ccb8807f9f9c9aa05e644c61fe5f0141
Withdrew 4112 FORCE using minted xFORCE 0x3b60252b36d2de2930a64f360926bfcba44d12ff44719de3c6dd486b9dafe118
Sold FORCE via 1inch 0x03c84e3f7d9c117260a49bab6bd9cb1b2d7e1cbc6d9362e74c10ef6d48a987e6
Return 14,833 FORCE 0xfda56d853714860e79512791d065a626e5102d52934c769e981619daf3c85f33
And finally, like vultures (with poor OPSEC), other hackers arrived to feed on the leftovers.
The money was returned, and Force narrowly avoided a spot on our leaderboard, but why would the white hat hacker take this responsibility when they could have placed it with the team?
Will this impact the price of BADGER?
Is the team incompetent, or was the hacker hedging himself? Anyone could have minted and stolen it all, and as samczsun wrote;
lmao the xforce vault didn't check the return value on transferFrom
As a member of our OPSEC team mentioned;
They use the years old MiniMeToken contract which doesn't revert but returns false when you transferFrom without approval or not enough funds. So that's problematic per se. Should've wrapped it in a safeTransferFrom.
But then they might've chosen to use a better token contract for FORCE anyway!
Now even airdrops can cost you money.
What was considered one of the smallest airdrops ever might actually end up a net negative for the users who claimed once they have deducted their gas costs.
Force DAO - the smallest airdrop followed by the easiest hack.
Please, if you’re going to make us work on a Sunday then at least make it entertaining.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.