Hackers have exploited the Uniswap exchange and the Lendf.me lending platform and managed to steal over $25 million worth of cryptocurrency.
The attacks which occurred last weekend are believed to be related and performed by the same person or group.
The investigation process is still going on and according to it, the hackers appear to have chained bugs and legitimate features from different blockchain technologies to organize a sophisticated “reentrancy attack.”
Reentrancy attacks permits and attacker to withdraw funds repeatedly like a loop, before the original transaction is approved or declined.
The similarities between Uniswap and Lendf.me is that both platforms were using:
- Lendf.me protocol — a decentralized finance (DeFi) protocol developed by the dForce Foundation to support lending operations on the Ethereum platform.
- imBTC — a token (coin) that runs on the Ethereum platform and is valued at a 1:1 rate with the Bitcoin cryptocurrency.
- ERC-777 — one of the underlying technologies of the Ethereum blockchain meant to support smart contracts (both Lendf.me and imBTC run as smart contracts on the Ethereum platform).
According to Tokenlon, the company behind imBTC, the ERC-777 token standard has no security vulnerabilities.
But the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables reentrancy attacks.
The company believes that the hackers made use of an exploit published in July 2019 on GitHub by OpenZeppelin, a company that performs security audits for cryptocurrency platforms.
It is believed that Uniswap lost between $300,000 and $1.1 million in funds, while Lendf.me lost more than $24.5 million.
The hackers used the reentrancy attack to drain funds from each platform into their wallet, and then immediately transfer the funds to other accounts.
Following the attack, both websites were taken down to prevent further attacks. Tokenlon also suspended its imBTC token and is blocking all new transactions to prevent the hackers from performing new attacks against other platforms.