imToken
Published in

imToken

Tokenlon DEX

Apr 19, 2020

2 min read

About Recent Uniswap and Lendf.Me Reentrancy Attacks

Recently, Uniswap and Lendf.Me experienced two “reentrancy attacks” in which a high amount of user funds were stolen. Below we try to explain what happened.

In order to enable the investigation of possible reentrancy attacks, the imBTC contract has been suspended, waiting for the security incident to be evaluated, to be then restarted.

The BTC escrow that backs imBTC 1:1 is not affected. Users holding imBTC will be able to redeem, trade, transfer and use other functions after the suspension is lifted.

Timeline of the relevant events

8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin’s explanation here.

12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.

12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.

17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.

09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.

10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.

As of the time of publishing, Lendf.Me functions are stopped and security investigation ongoing.

The current status of imBTC

At present, the imBTC holders who did not deposit imBTC to the Lendf.Me platform are not affected. imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.

imBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon. The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.

Please stay tuned to our communication channels. We will continue to release updates about the incident.

This post is also available in English here and Chinese here on our blog.

Edit: Read our followup on Recent Events & imBTC’s Future:

Recent Events & imBTC’s Future

While only a small amount of money remains lost, we will give our best to decrease risks and continue to build out…

medium.com

--

--

More from imToken

Digital Assets Within Your Control

Read more from imToken

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tokenlon DEX

Tokenlon DEX

747 Followers

The 🐉 #DEX We promise 99% of your transactions will go through Built on 0x and Ethereum Aggregating best prices from major #DEXs

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech