Cryptocurrencies have always been a primary target for cybercriminals, leading to cyber heist on cryptocurrency exchanges. Recently, $25 million worth of cryptocurrency was stolen from Uniswap exchange and the Lendf.me lending platform. The hacker took advantage of a known vulnerability that concerns the ERC777 token standard in the Ethereum blockchain technology. Experts believe that the two attacks could have been carried out by the same hacker as a similar exploit termed as a “reentrancy attack” was used in both the cases.
Lendf.Me is a decentralized lending platform that enables instant borrowing and withdrawal capabilities. Lendf.Me faced a major blow with 99.95% of funds or 24.5 million dollars being stolen. Lendf.Me is driven by the dForce Foundation, a provider of an integrated and interoperable platform of open finance protocols that runs on the DeFi stack. The attack involved the theft of imBTC, an ERC-20 token that was designed by the dForce Foundation but is now run by a separate company called Tokenlon.
The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the reentrancy attacks.
The second targeted company, Uniswap, is an independent and fully decentralized protocol-based automated liquidity provider of Ethereum cryptocurrency. UniSwap does not use DeFi stack but uses the Lendf.me protocol, which is built using the DeFi stack as well as imBTC. The losses at Uniswap are believed to be between $300,000 and $1.1 million in imBTC tokens.
According to Tokenlon, the first attack was targeted at Uniswap’s ERC777 token to perform a “reentrancy” attack. This attack exploits a function that makes an external call to another untrusted contract before it resolves any effects, allowing an attacker to take over control flow of the smart contract. To evaluate potential security risks, Tokenlon suspended the transfer of imBTC while informing users about it. The transfers resumed in a while but Lendf.me informed TokenIon of a redundant attack on their platform, which suspended the operations completely.
The proof of concept for exploiting an ERC777 token of a Uniswap exchange has been publicly made available on the GitHub platform in June 2019. The exploit details and how the exploit works has been shared on this forum.
Uniswap and Lendf.me, both platforms operations remained suspended till the time of publish. However, according to ChainNews, the hackers in a bizarre turn of events, have returned $126,014 back to Lendf.Me with a note saying, “Better luck next time”.