Hackers steal $25 million worth of cryptocurrency from 2 platform
Hackers have stolen over $25 million in cryptocurrency in the Uniswap exchange and the Lendf.me lending platform. Though an investigatio...
https://tech-blog24.blogspot.com/2020/04/hackers-steal-25-million-worth-of.html
Hackers have stolen over $25 million in cryptocurrency in the Uniswap exchange and the Lendf.me lending platform.
Though an investigation is currently underway, both strikes are believed to be related, and probably carried out by precisely the exact same group or person.
According to investigators, hackers appear to have chained together bugs and legitimate attributes from different blockchain technology to orchestrate a sophisticated"reentrancy attack"
Reentrancy strikes make it possible for hackers to withdraw funds repeatedly, in a loop, even until the original transaction is approved or declined.
The similarities between Uniswap and Lendf.me is the platforms were utilizing:
Lendf.me protocol -- a decentralized fund (DeFi) protocol developed by the dForce Foundation to support lending operations on the Ethereum platform.
ImBTC -- a token (coin) that runs on the Ethereum platform and can be appreciated at a 1:1 rate with the Bitcoin cryptocurrency.
ERC-777 -- among the underlying technologies of this Ethereum blockchain intended to support wise contracts (both Lendf.me and imBTC run as smart contracts on the Ethereum platform).
"The ERC-777 token standard has - to our knowledge - no security vulnerabilities," said Tokenlon, the company behind imBTC.
"However, the combination of using ERC777 tokens and Uniswap/Lendf. Me contracts enables [...] reentrancy attacks," the firm wrote in a post-mortem report of the Uniswap and Lendf.me attacks.
The company believes the hackers used an entry published in July 2019 on GitHub from OpenZeppelin, a company that performs security instructions for cryptocurrency platforms.
At the time of writing, Uniswap is thought to have dropped between $300,000 and $1.1 million in capital, while Lendf.me lost over $24.5 million.
The hackers used the reentrancy assault to siphon funds from every platform into their wallet, and then immediately transfer the funds to other accounts.
Both websites are removed to prevent additional attacks. Tokenlon has also suspended its imBTC token and is blocking all new trades to protect against the hackers from carrying out fresh attacks against other platforms.