The cryptocurrency industry has suffered a major loss over the weekend, after bad actors managed to steal more than $25 million worth of digital currency from Uniswap and Lendf.me.
Believed to be the handiwork of a single group or individual, the two ‘reentrancy attacks’ were possible by a known vulnerability found in the ERC777-token of Uniswap Exchange, an exploit made public in July 2019.
The reentrancy vulnerability allows a repeated withdrawal of funds before the initial transaction is declined or approved.
The first target on the attackers’ list was Uniswap, a fully decentralized peer-to-peer cryptocurrency exchange platform, providing users with a means to trade Ethereum cryptocurrency. In this case, the hackers stole between $300,000 and $1.1 million (in imBTC tokens). The decentralized lending platform Lendf.Me, meanwhile, suffered an even bigger blow, as bad actors managed to transfer more than $24 million to their account.
Tokenlon, the company behind the imBTC token that runs on the Uniswap platform, provides a timeline of the events:
“8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin’s explanation here.
12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.
12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.
17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.
09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.
10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.”
Following the two incidents, both Uniswap and Lendf.Mewere taken offline to prevent further attacks. Tokenlon said that “imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.” Users are advised to follow updates on the company’s Twitter page.