The accumulation of crypto coins has always been the ultimate goal for cybercriminals, a factor that has led a host of these hackers to launch mega heists targeting crypto exchanges.
Just recently, cryptocurrency worth a staggering $25 million was stolen from Uniswag exchange and the Lendf.me platform.
Just to get a background of things, Lendf.me is a decentralized service that provides a platform for instant borrowing and withdrawal. Driven by the dForce Foundation, which provides an integrated platform for open finance protocols that operate on the DeFi stack, Lendf.me suffered a 99.95 percent loss of funds in the tune of $24.5 million.
In Lendf.me’s context, the attack was marked by the stealing of imBTC, a token designed by the dForce Foundation, now run by Tokenlon, that’s the official protocol for proposing improvements to the Ethereum (ETH) network.
The second victim, Uniswap, is a protocol-based independent liquidity provider of the Ethereum crypto. Compared to Lendf.me that employs the DeFi stack, this fully decentralized automated platform uses the Lendf.me protocol, a tool whose building blocks are centered on both the DeFi stack and the imBTC.
Reportedly, in the context of this crypto heist, Uniswap lost between $300, 000 and $1.1 million in imBTC tokens.
The Attacks
Both attacks happened last weekend with investigators probing the possibility that the two attacks were designed and launched by the same hackers. The relatedness of the two attacks is striking, considering the similarities (between Lendf.me and Uniswap) that might have been exploited by the hackers.
The similarities in question involve the already-mentioned Lendf.me protocol that denotes a decentralized finance protocol, which facilitates lending capabilities on the ETH platform.
In addition, the ERC777 token standard is employed by both the Lendf.me and Uniswag – it is one of the technologies used on the ETH blockchain to enable smart contracts that define the two entities. Nonetheless, it is worth noting that experts had not identified any security vulnerabilities associated with the token standard up to this point.
An investigation by a cyber-audit firm for crypto platforms, OpenZeppelin, suggested that the attackers took advantage of an exploit published about Uniswap in July 2019. It is thought that the hackers targeted Uniswap on Saturday, then used the exploit again in attacking Lendf.me the following day.
According to investigators, this vulnerability is associated with the ERC777 token standard in the ETH blockchain. It is believed that the two cases involved the same hackers considering the fact that a “reentrancy attack” technique was traced on both attacks.
Reentrancy attacks provide hackers with the capability to withdraw funds repeatedly, even before the original transaction undergoes an approval or “denial of request” process. In technical terms, the attacks enabled the hackers to assume control of the smart contracts.
Quite obviously, the entire process of the attacks yielded better results with the Lendf.me considering that the hackers almost wiped out the entire platform’s funds.
Thereafter, stolen funds from the two separate entities were quickly moved to other accounts.
In light of the attacks, both sites were closed to prevent any eventualities that would follow the attacks. Tokenlon also went ahead to suspend its imBTC token, and further resolved to bar any new transactions. This decision was arrived to eliminate the likelihood of hackers launching new attacks against other platforms.
Update – Hackers Return Stolen Funds
In an April 21 update, the hackers decided to return all the stolen cryptocurrency following the realization that they had made the grave mistake of unintentionally leaking their IP address during the heist. It is reported that the monies were reimbursed following a negotiation process between the Lendf.me platform and the dForce Foundation with the hackers.
You can join the discussion on Dread and Tape forum
