2 min read

A hackers" dream payday: Ledf.Me and Uniswap lose $25 million worth of cryptocurrency

Alina BÎZGĂ

April 21, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
A hackers" dream payday: Ledf.Me and Uniswap lose $25 million worth of cryptocurrency

The cryptocurrency industry has suffered a major loss over the weekend, after bad actors managed to steal more than $25 million worth of digital currency from Uniswap and Lendf.me.

Believed to be the handiwork of a single group or individual, the two “reentrancy attacks” were possible by a known vulnerability found in the ERC777-token of Uniswap Exchange, an exploit made public in July 2019.

The reentrancy vulnerability allows a repeated withdrawal of funds before the initial transaction is declined or approved.

The first target on the attackers” list was Uniswap, a fully decentralized peer-to-peer cryptocurrency exchange platform, providing users with a means to trade Ethereum cryptocurrency. In this case, the hackers stole between $300,000 and $1.1 million (in imBTC tokens). The decentralized lending platform Lendf.Me, meanwhile, suffered an even bigger blow, as bad actors managed to transfer more than $24 million to their account.

Tokenlon, the company behind the imBTC token that runs on the Uniswap platform, provides a timeline of the events:


“8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin”s explanation here.
12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.
12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.
17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.
09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.
10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.”

Following the two incidents, both Uniswap and Lendf.Mewere taken offline to prevent further attacks. Tokenlon said that “imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.” Users are advised to follow updates on the company”s Twitter page.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read