About Recent Uniswap and Lendf.Me Reentrancy Attacks

Tokenlon DEX
Apr 19, 2020 · 2 min read

Recently, Uniswap and Lendf.Me experienced two “reentrancy attacks” in which a high amount of user funds were stolen. Below we try to explain what happened.

In order to enable the investigation of possible reentrancy attacks, the imBTC contract has been suspended, waiting for the security incident to be evaluated, to be then restarted.

The BTC escrow that backs imBTC 1:1 is not affected. Users holding imBTC will be able to redeem, trade, transfer and use other functions after the suspension is lifted.

Timeline of the relevant events

8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin’s explanation here.

12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.

12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.

17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.

09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.

10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.

As of the time of publishing, Lendf.Me functions are stopped and security investigation ongoing.

The current status of imBTC

At present, the imBTC holders who did not deposit imBTC to the Lendf.Me platform are not affected. imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.

imBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon. The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.

Please stay tuned to our communication channels. We will continue to release updates about the incident.

This post is also available in English here and Chinese here on our blog.

imToken

Digital Assets Within Your Control

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store