Two cryptocurrency wallets got attacked over the weekend out of which one suffered a loss of $25 million worth of crypto. The type of attack method used by hackers is called Reentrancy.
Reentrancy attacks let attackers continually withdraw cryptocurrency without any difficulty until the initial transaction status changes.
The attacks were targeted against a decentralized lending platform Lendf.me, which is one of the two lending protocols supported by the DeFi (decentralized finance) network dForce, while Uniswap is the other crypto exchange.
See: UPbit cryptocurrency exchange hacked; Ether worth $50 million stolen
TokenIon, the company behind imBTC claims that attackers first targeted Uniswap on Saturday exploiting an inherent Uniswap vulnerability combined with ERC777 token standard.
On Sunday night, the hackers targeted Lendf.Me, which led to an “abnormally large borrowing on the platform.” DeFi Pulse also reported that dForce Foundation’s Lendf.me was attacked on early Sunday morning after which around 99% of its ethereum and Bitcoin assets got seized.
Reportedly, attackers targeted the money market pool of Lendf at 8:45 Beijing time at the Block height 9899681.
DeFi protocol developers suggest that the issue might have been caused because imBTC must be anchored at a one-to-one rate against the ERC777 standard, which means an ethereum token might have been pegged against Bitcoin.
It is possible that the combination of Lendf.Me/Uniswap and ERC777 tokens contract enabled the attacker to launch reentrancy attacks.
However, these are mere speculations as dForce has not released an official statement as yet about the incident or what could have gone wrong. The official Lendf.me website displayed the message “Do not supply anymore!” before going offline.
The only statement we have seen so far is published Lendf.me’s Telegram channel and Medium blog where the foundation’s CEO Mindao Yang has stated that users must not supply any funds or assets to Lendf.me for the time being and that the company is investigating the matter.
Yang has also stated that the DeFismart contracts’ callback mechanism at his organization could have allowed the attacker to “supply and withdraw” ERC777 tokens continuously.
It is also unclear whether the attacker has seized the funds completely or some users were able to withdraw their funds, but it is confirmed that the wallets stored funds worth $25m in total.
See: Malware called InnfiRAT is creeping into cryptocurrency wallets
Yang claims to have contacted the law enforcement authorities to investigate the matter and the company has also responded to the attacker’s request for discussion.
“The hacker(s) have attempted to contact us and we intend to enter into discussions with them,” said Yang. “We are doing everything in our power to contain the situation. We have contacted law enforcement in several jurisdictions, reached out to asset issuers and exchanges to track down and blacklist the hackers’ addresses and engaged our legal teams.”.