Published in


About Recent Uniswap and Lendf.Me Reentrancy Attacks

Recently, Uniswap and Lendf.Me experienced two “reentrancy attacks” in which a high amount of user funds were stolen. Below we try to explain what happened.

In order to enable the investigation of possible reentrancy attacks, the imBTC contract has been suspended, waiting for the security incident to be evaluated, to be then restarted.

The BTC escrow that backs imBTC 1:1 is not affected. Users holding imBTC will be able to redeem, trade, transfer and use other functions after the suspension is lifted.

Timeline of the relevant events

8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin’s explanation here.

12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.

12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.

17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.

09:28 on April 19th. Tokenlon received a message from about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.

10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.

As of the time of publishing, Lendf.Me functions are stopped and security investigation ongoing.

The current status of imBTC

At present, the imBTC holders who did not deposit imBTC to the Lendf.Me platform are not affected. imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.

imBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon. The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.

Please stay tuned to our communication channels. We will continue to release updates about the incident.

This post is also available in English here and Chinese here on our blog.



Digital Assets Within Your Control

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tokenlon DEX

The 🐉 #DEX We promise 99% of your transactions will go through Built on 0x and Ethereum Aggregating best prices from major #DEXs