About Recent Uniswap and Lendf.Me Reentrancy Attacks
Update on imBTC Operations: Tokenlon to cease cross-chain gateway services
Recently, Uniswap and Lendf.Me experienced two “reentrancy attacks” in which a high amount of user funds were stolen. Below we try to explain what happened.
In order to enable the investigation of possible reentrancy attacks, the imBTC contract has been suspended, waiting for the security incident to be evaluated, to be then restarted.
The BTC escrow that backs imBTC 1:1 is not affected. Users holding imBTC will be able to redeem, trade, transfer and use other functions after the suspension is lifted.
Timeline of the relevant events
8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin’s explanation here.
12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.
12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.
17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.
09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.
10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.
As of the time of publishing, Lendf.Me functions are stopped and security investigation ongoing.
The current status of imBTC
At present, the imBTC holders who did not deposit imBTC to the Lendf.Me platform are not affected. imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.
imBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon. The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.
Please stay tuned to our communication channels. We will continue to release updates about the incident.
Edit: Read our followup on Recent Events & imBTC’s Future:
