Hackers have made off with at least $25m from two cryptocurrency firms after apparently targeting them with “reentrancy attacks” over the weekend.
The raids affected decentralized lending platform Lendf.Me, which is supported by a decentralized finance (DeFi) network known as dForce, and crypto exchange Uniswap.
According to Tokenlon, the organization behind digital currency imBTC, the attackers first struck on Saturday exploiting a vulnerability at Uniswap in combination with the ERC777 token standard.
A reentrancy attack enables attackers to continually withdraw digital funds without being challenged until the status of the initial transaction changes.
It was responsible for the massive $60m raid on Ethereum-backed DAO in 2016.
Around a day after attackers hit Uniswap, Tokenlon received a message from Lendf.Me saying it had also been compromised, “resulting in a large number of abnormal borrowing on the platform.”
“ImBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon,” the firm explained. “The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.”
Founder of dForce, Mindao Yang, explained that the “callback mechanism” in his organization’s DeFi smart contracts enabled the hacker “to supply and withdraw ERC777 tokens repeatedly before the balance was updated.”
A more detailed explanation can be found here.
“The hacker(s) have attempted to contact us and we intend to enter into discussions with them,” said Yang.
“We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hacker(s)’s addresses, and engaged our legal teams.”