defirisk.co
rubric v1.7.0

LNDFi (LND.fi): Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)

LNDFi lost $1.18M when a suspected DPRK developer injected a single backdoor line into their Aave V3 fork 41 days before launch, giving any Pool Admin the power to drain depositor funds — and then did exactly that in 45 seconds.

Occurred 2025-05-09 Loss $1M Status closed

Summary #

LNDFi (LND.fi) suffered a Lending / Money Market on 2025-05-09, resulting in a loss of approximately $1M.

What happened #

LNDFi lost $1.18M when a suspected DPRK developer injected a single backdoor line into their Aave V3 fork 41 days before launch, giving any Pool Admin the power to drain depositor funds — and then did exactly that in 45 seconds.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited; backdoor injected at development stage]
  • RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — fresh deployment with injected backdoor]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
  • RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — Pool Admin role assignment was the enabling action]
  • RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: 41 days (from deployment to exploit)]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — Pool Admin role assignment was the enabling action]
  • RD-F-122 — related : Contributor paid to wallet routing to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
  • RD-F-123 — causal : ★ Sudden admin/ACL change absent issue/PR — DPRK insider class [via dashboard_risk_factors/Team anonymity: Pseudonymous; possible DPRK IT worker involvement]
  • RD-F-125 — causal : ★ Deployer linked to DPRK cluster [via dashboard_risk_factors/Team anonymity: Pseudonymous; possible DPRK IT worker involvement] || ★ Deployer linked to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Aave V3 fork]