While blockchains and cryptocurrencies promise more security and robustness, they’re still exploitations happening on. A recent incident in this space is the hack of over $25 million worth cryptocurrency from an exchange called Uniswap and finance lending platform called Lendf.me. These two platforms have few things in common, and hackers have exploited them by a trick called reentrancy attack, to siphon the funds to their wallets.
Common points and combinations
Centralized exchanges have long been criticized for failing the fundamentals of blockchain, being decentralized. They act as a single point of failure and could lose customers’ funds if improperly managed. One such attack that happened in virtual currency space is the hack of Uniswap, which is a cryptocurrency exchange that lost about somewhere between $300,000 to $1.1 million. And, a decentralized finance lending platform called Lendf.me, which lost more than $24.5 million.
These two are having few things in common, which are leveraged by hackers to exploit and steal funds ultimately. A Lendf.me protocol developed by dForce foundation, the ERC-777 technology, which is used by services like Lendf.me and Uniswap to practice smart contracts and finally, the imBTC token that’s running on Ethereum platform.
An investigation into the hack is currently under process, but the Tokenlon (maker of imBTC) said there’s no problem with ERC-777 underlying technology. But the combination of ERC-777 and Uniswap/Lendf.me contracts allowed a reentrancy attack, resulting in hackers to gain funds. The reentrancy attack allows someone to withdraw funds continuously even before the first transaction was approved. This was explained by OpenZeppelin in GitHub last year.
While Tokenlon suspended imBTC temporarily, websites of both Lendf.me and Uniswap were pulled down to avoid any further attacks. This incident happened over the weekend, and the estimated losses amounted to more than $25 million worth of cryptocurrency.