Bad news from
According to the experts, the two attacks could be linked, the same hacker might have used an exploit shared on GitHub to hack the two services.
The two incidents took place between Saturday and Sunday.
“Started at 12:58:19 AM +UTC, Apr-18–2020, a known
Attackers have chained a reentrancy vulnerability with other issues and legitimate features from different blockchain technologies to hack the platforms.
A reentrancy attack consists in withdrawing funds repeatedly before the legitimate transaction is approved or declined.
In the hack of the Uniswap platform, the attacker exploited the issue to steal funds from the Uniswap liquidity pool of ETH-imBTC (containing about 1,278 ETH). In the case of the Lendf.Me hack, the attacker exploited the same issue to increase the internal record of the attacker’s imBTC collateral amount so that she can borrow (and indeed borrow) a variety of 10+ assets from all available Lendf.Me liquidity pools (with total asset value of $25,236,849.44).
According to Tokenlon, the company behind the
The problem results by combining the ERC777 tokens and Uniswap/Lendf.Me contracts.
It seems that the hacker has stolen between $300,000 and $1.1 million in funds from Uniswap, and more than $24.5 million from Lendf.me.
Tokenlon has suspended its imBTC token as precautionary measure and blocked all new transactions. Both Uniswap and the Lendf.me have been taken down to prevent further attacks.