Hackers targeted two cryptocurrency platforms, Uniswap crypto exchange and Lendf.me lending platform. As reported, the hackers managed to steal cryptocurrency worth $25 million from both platforms.
Two Cryptocurrency Platforms Targeted
Reportedly, hackers have recently targeted two cryptocurrency platforms, Uniswap and Lendf.me, to steal crypto assets worth $25 million. Uniswap is a cryptocurrency exchange, whereas, Lendf.me is a cryptocurrency lending platform.
Briefly, the attackers exploited a reentrancy vulnerability to target both services. Both Uniswap and Lendf.me had a few things in common, which might have triggered similar attacks. These include the involvement of Lendf.me protocol (powered by dForce decentralized finance (DeFi) protocol), imBTC token (powered by imToken), and ERC-777 – an underlying technology of Ethereum blockchain facilitating smart contracts. The same technology empowers imBTC and DeFi protocol to run as smart contracts.
According to an analysis shared by PeckShield, a blockchain security firm, the attackers exploited a reentrancy vulnerability due to the incompatibility of ERC-777 with both smart contracts.
The main logic behind these two incidents is the incompatibility between ERC777 and those DeFi smart contracts, which might be misused by the attacker to utterly hijack a normal transaction and perform additional illicit operations.
Whereas, imToken has also elaborated on the same reason for the attack.
The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.
Regarding how the attackers could conduct this attack, imToken hinted towards a 2019 exploit available on GitHub.
$25 Million Worth Crypto Stolen
Together in both incidents, the attackers could manage to pilfer $25 million worth of cryptocurrency.
Following the attack, imToken suspended the imBTC contract to investigate the matter. They will resume services once both Uniswap and Lendf.me give them the green signal to do so.
As possible mitigation to avoid reentrancy attacks, PeckShield recommends using Checks-Effects-Interactions design pattern.
Let us know your thoughts in the comments.