Pierluigi Paganini April 20, 2020

Hackers have stolen more than $25 million worth of cryptocurrency from the Uniswap exchange and the Lendf.me lending platform.

Bad news from cryptocurrency industry, hackers have stolen more than $25 million in cryptocurrency from the Uniswap exchange and the Lendf.me lending platform.

According to the experts, the two attacks could be linked, the same hacker might have used an exploit shared on GitHub to hack the two services.

The issue exploited by the attacker was described in a post published by OpenZeppelini in April 2019, a proof-of-concept exploit code was released in July 2019,

The two incidents took place between Saturday and Sunday.

“Started at 12:58:19 AM +UTC, Apr-18–2020, a known reentrancy vulnerability was exploited on Uniswap against the imBTC. liquidity pool. Around 24 hours later, at Apr-19–2020 12:58:43 AM +UTC, a similar hack occurred on Lendf.Me.” reads the analysis published by Blockchain security firm PeckShield. “Technically, the main logic behind these two incidents is the fact that the implementation of ERC777-compatible transferFrom() has a callback mechanism, which allows the attacker to utterly hijack the transaction and perform additional illicit operations (via _callTokensToSend()) before the balance is really updated (i.e., inside _move()).”

Attackers have chained a reentrancy vulnerability with other issues and legitimate features from different blockchain technologies to hack the platforms.

A reentrancy attack consists in withdrawing funds repeatedly before the legitimate transaction is approved or declined.

In the hack of the Uniswap platform, the attacker exploited the issue to steal funds from the Uniswap liquidity pool of ETH-imBTC (containing about 1,278 ETH). In the case of the Lendf.Me hack, the attacker exploited the same issue to increase the internal record of the attacker’s imBTC collateral amount so that she can borrow (and indeed borrow) a variety of 10+ assets from all available Lendf.Me liquidity pools (with total asset value of $25,236,849.44).

According to Tokenlon, the company behind the imBTC token (coin) that runs on the Ethereum platform, the ERC-777 is not affected by security known issues.

The problem results by combining the ERC777 tokens and Uniswap/Lendf.Me contracts.

“imBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon. The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.” reads the post published by Tokenlon DEX.

It seems that the hacker has stolen between $300,000 and $1.1 million in funds from Uniswap, and more than $24.5 million from Lendf.me.

Tokenlon has suspended its imBTC token as precautionary measure and blocked all new transactions. Both Uniswap and the Lendf.me have been taken down to prevent further attacks.

Pierluigi Paganini

(SecurityAffairs – Uniswap, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]