« NSCS - Secure communications principles: alpha release (安全な通信についての原則) | Main | IPA テレワークを行う際のセキュリティ上の注意事項 »





Medium - imToken

・2020.04.19 About Recent Uniswap and Lendf.Me Reentrancy Attacks



・2020.04.19 14:50 GMT Hackers steal $25 million worth of cryptocurrency from Uniswap and Lendf.me  by 
Hacker is believed to have used an exploit shared on GitHub last year to steal funds from both platforms.

Security Affairs

・2020.04.20 Uniswap and Lendf.me hacked, attacker stole $25 million worth of cryptocurrency by Pierluigi Paganini
Hackers have stolen more than $25 million worth of cryptocurrency from the Uniswap exchange and the Lendf.me lending platform.





Medium - imToken

・2020.04.19 About Recent Uniswap and Lendf.Me Reentrancy Attacks


Recently, Uniswap and Lendf.Me experienced two “reentrancy attacks” in which a high amount of user funds were stolen. Below we try to explain what happened.

In order to enable the investigation of possible reentrancy attacks, the imBTC contract has been suspended, waiting for the security incident to be evaluated, to be then restarted.

The BTC escrow that backs imBTC 1:1 is not affected. Users holding imBTC will be able to redeem, trade, transfer and use other functions after the suspension is lifted.

Timeline of the relevant events

8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin’s explanation here.

12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.

12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.

17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.

  • 09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.

10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.

As of the time of publishing, Lendf.Me functions are stopped and security investigation ongoing.

The current status of imBTC

At present, the imBTC holders who did not deposit imBTC to the Lendf.Me platform are not affected. imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.

imBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon. The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.

Please stay tuned to our communication channels. We will continue to release updates about the incident.



・2020.04.20 Cryptocurrency Worth $25 Mn Stolen in Lendf.Me and Uniswap Hacking

・2020.04.20 DForce DeFi Protocol Breached, $25 Million in BTC and ETH Lost by Wanguba Muriuki

・2020.04.19 Hackers just tapped China's dForce for $25 million in Ethereum exploit by Andrew Haywardand Robert Stevens

Inside Bitcoins
・2020.04.19 Uniswap, Lendf.me Suffer From $25 Million Hack This Weekend by Max Moeller

・2020.04.19 Is DeFi Now Dead? Inside the dForce / LendfMe 25 Million USD Hack!

・2020.04.20 DForce Hacker Attempts to Negotiate After Allegedly Leaking His Identityby Utkarsh Gupta
The hacker behind the recent theft of $25 million from DeFi platform Lendf.me has leaked important data about himself, and is already signaling for peace.
・2020.04.19 DForce Loses 99.95% of Funds in Latest Test of DeFi's Resilienceby SAMUEL HAIG
Leading Chinese DeFi protocol has lost 99.95% of locked funds in a nearly $25 million hack.

・ 2020.04.19 Deal with the devil: Ethereum DeFi protocol negotiates with hacker of $25 million
It's been a crazy past 24 hours for users of decentralized finance, also known as “DeFi.” Over this time, devious Ethereum users managed to steal over $25 ...

・2020.04.20 Crypto Hackers Want to Negotiate After Stealing $25,000,000 in Ethereum and Bitcoin-Pegged Assets From DeFi Protocol
Hackers have successfully stolen $25,000,000 from two separate pools on the decentralized lending platform dForce, draining Ethereum (ETH) and ...

・2020.04.19 Chinese DeFi Protocol dForce Reportedly Loses $25 Million Of Its Total Locked Value In An Attack
dForce, a Chinese decentralized finance (DeFi) protocol that is backed by Multicoin Capital, has reportedly been exploited. According to a popular DeFi.

・2020.04.20 dForce hackers forced into U-turn after failing to sell stolen funds by Will Heasman
Hackers of Chinese DeFi platform dForce have backpedaled on a $25 million exploit, returning $2.6 million in stolen funds after failing to dump them.
・2020.04.19 Hackers just tapped China's dForce for $25 million in Ethereum exploit by Andrew Haywardand Robert Stevens
A known ERC777 vulnerability led to an attack that drained a huge chunk of coin from dForce. The same attack also drained around $300,000 from a Uniswap pool.

TWJ News
・2020.04.19 25 Million Loss in Crypto Suffered by dForce as DeFi Protocol Witnesses Attack by Utkarsh Gupta
dForce, a Multicoin Capital-backed Chinese decentralized finance protocol was exploited and the Total Value Locked in the dForce space dropped from a ...

・2020.04.20 Weekend Attack Drains Decentralized Protocol dForce of $25M in Crypto
dForce appears to have lost control of $25 million in bitcoin and ether held in its decentralized lending protocol.

・2020.04.19 dForce DeFi Protocol Hacked, $25M in Bitcoin (BTC) and Ethereum (ETH) Stolen
Today, the worldwide DeFi community witnessed probably its most devastating hack ever. The attack on the dForce protocol (aka Lendf.me) resulted in a $25M ...

The Block Crypto
・2020.04.19 Multicoin Capital-backed DeFi protocol dForce loses ~$25M total locked value in an exploit

dForce CEO Mindao Yang just confirmed in a blog post that the hacker(s) have reached out to the team and the team intends ...

Herald Sheets
・2020.04.19 DeFi Protocol dForce Loses Over $25M in Bitcoin (BTC) and Ethereum (ETH) in an Attack On SaturdayBy Tobi Loba
According to a trending report from DeFi Pulse, a decentralized finance protocol dForce has lost over 99% of its assets in an attack on its system on Saturday, ...

・2020.04.19 $25M in cryptocurrency stolen in hack of Lendf.me and Uniswap
About $25 million in cryptocurrency was stolen from Uniswap and Lendf.Me over the weekend by hackers who exploited a technology underlying the Ethereum ...


« NSCS - Secure communications principles: alpha release (安全な通信についての原則) | Main | IPA テレワークを行う際のセキュリティ上の注意事項 »


Post a comment

(Not displayed with comment.)

Comments are moderated, and will not appear on this weblog until the author has approved them.

« NSCS - Secure communications principles: alpha release (安全な通信についての原則) | Main | IPA テレワークを行う際のセキュリティ上の注意事項 »