$25 Million Worth of Cryptocurrency Stolen by Hackers from Uniswap and Lendf.me

hacking

Around $25 million of cryptocurrency was stolen from Uniswap and Lendf. Me during the weekend by hackers who exploited the Ethereum blockchain technology.

Of the two, Lendf.Me, a decentralized lending network with the immediate ability to borrow and withdraw, was hit hardest with 99.95% of funds or 24.5 million dollars stolen. Lendf.Me itself is funded by the dForce Foundation, a member of the DeFi stack’s integrated and interoperable open finance protocol network.

The direction of the attack is unclear with this relationship with some sources stating that it was dForce itself that was hacked. That Lendf.me directly targeted it was sent in a message to the Chinese Chain News website. The assault includes the theft of an imBTC token from an ERC-20 developed by the dForce Foundation, now owned by a separate firm named Tokenlon, to make matters more complicated.

While not sponsored by the dForce Foundation, the second company attacked Uniswap using the Lendf.me protocol based on DeFi and IBTC. Uniswap is said to have lost in imBTC tokens between $300 million and $1.1 million.

According to Tokenlon, Uniswap launched the first assault at 8 p.m. EDT Friday used an exploit aimed at ERC777, a code underlying the Ethereum blockchain, to carry out a “reentrancy.”

“attack. This attack uses an external call to another untrusted contract before it solves effects and allows an attacker to take control of the smart contract flow.

In a first reaction, Tokenlon suspended imBTC transfers and told users of potential security risks. Transmissions resumed five o’clock. EDT Saturday (16.00 Singapore, where the business is based) after the partners have stated that they are right.

Advance to 9:28 p.m. Saturday (9:28 a.m. in Singapore Sunday) and the Lendf.me told Tokenlon that they were also targeted in a redundancy attack. Forty-six minutes later, imBTC was then suspended.

“The ERC-777 token standard has — to our knowledge — no security vulnerabilities,” Tokenlon said. “However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the.. reentrancy attacks.”

At the moment of writing, both Uniswap and Lendf. Me remain offline while an investigation was launched as to who was behind the attack.

Exploit Details: 

According to Github, the environment consists of:

  • A “template” Exchange
  • A Uniswap Exchange Factory (see uniswap_factory.vy – taken from Uniswap’s repository)
  • The ERC777 token to be exchanged
  • The ERC1820 registry to register interfaces
  • The actual Exchange for the token (see uniswap_exchange.vy – taken from Uniswap’s repository)
  • Sending/approving the necessary ETH and tokens to all actors
Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.