A hackers" dream payday: Ledf.Me and Uniswap lose $25 million worth of cryptocurrency
The cryptocurrency industry has suffered a major loss over the weekend, after bad actors managed to steal more than $25 million worth of digital currency from Uniswap and Lendf.me.
Believed to be the handiwork of a single group or individual, the two “reentrancy attacks” were possible by a known vulnerability found in the ERC777-token of Uniswap Exchange, an exploit made public in July 2019.
The reentrancy vulnerability allows a repeated withdrawal of funds before the initial transaction is declined or approved.
The first target on the attackers” list was Uniswap, a fully decentralized peer-to-peer cryptocurrency exchange platform, providing users with a means to trade Ethereum cryptocurrency. In this case, the hackers stole between $300,000 and $1.1 million (in imBTC tokens). The decentralized lending platform Lendf.Me, meanwhile, suffered an even bigger blow, as bad actors managed to transfer more than $24 million to their account.
Tokenlon, the company behind the imBTC token that runs on the Uniswap platform, provides a timeline of the events:
“8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin”s explanation here.
12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.
12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.
17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.
09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.
10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.”
Following the two incidents, both Uniswap and Lendf.Mewere taken offline to prevent further attacks. Tokenlon said that “imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.” Users are advised to follow updates on the company”s Twitter page.
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021