Hack: Uniswap and Lendf.me lost $ 25M in cryptocurrencies

Over the past weekend, computer attacks have targeted the exchange Uniswap and the DeFi platform Lendf.me. The hackers have stolen for more than $ 25 million both crypto companies.

Two cryptocurrency players paid the price cyberattacks separate over the weekend of April 18 and 19. If the investigation continues, the two hacks would nevertheless be closely linked.

According to the information communicated, the hackers would have exploited the bugs and functionalities of several blockchain technologies in order to conduct a "reentrancy" attack. This technique exploits a flaw in the system to target smart contracts and thus illegally drain funds.

Attacks combining imBTC and smart contracts

In this way, attackers can repeatedly perform the same withdrawal operation before the initial transaction is processed (accepted or refused) by the platform. For the Lendf.me loan protocol, the cyber attack resulted in the withdrawal of at least $ 25 million in Ether and Bitcoin from his wallet.

For the boss of Compound, Robert Leshner, interviewed by Coindesk, hacking Lendf.me follows the attack on Uniswap. These are more precisely the imBTC tokens of the exchange that were targeted.

The leader stresses that imBTC, a token ERC-777, is "not a normal Ethereum active". Consequently, smart contracts including imBTC must be treated with additional security measures to prevent reentrancy attacks.

Tokenlon, the company behind the imBTC token, would like to point out that this standard does not present any security flaws, "to its knowledge". She believes that it is the combination of the use of ERC777 tokens and the Uniswap / Lendf.Me contracts which is at the origin of the cyber attack.

ImBT token and transactions suspended during the investigation

To steal the cryptocurrencies, the hackers also used a public exploit, unveiled on GitHub last summer. The vulnerability had been revealed by a company specializing in the security of crypto platforms, OpenZeppelin.

The damage is consequential for Uniswap and Lendf.me. The services would have lost respectively between 300,000 and 1.1 million dollars, and more than 24.5 million for the DeFi protocol (belonging to the dForce Foundation). The two platforms have disconnected their services to prevent further intrusions.

As for Tokenlon, it announced that it had suspended its imBT token and blocked all new transactions. Goal : prevent the use of this same technique against other services with the same characteristics and therefore potentially vulnerable.