Hackers Steal $25m from Cryptocurrency Firms in Reentrancy Attacks
Over the weekend, hackers successfully executed reentrancy attacks on two cryptocurrency firms, resulting in a combined theft of at least $25m. The targeted companies were decentralized lending platform Lendf.Me, supported by the DeFi network dForce, and crypto exchange Uniswap.
How the Attacks Unfolded
The initial breach occurred at Uniswap on Saturday, where the attackers exploited a vulnerability in combination with the ERC777 token standard. This type of attack allows hackers to repeatedly withdraw digital funds without detection until the status of the initial transaction changes, similar to the infamous $60m raid on Ethereum-based DAO in 2016.
Shortly after the Uniswap incident, Tokenlon, the organization behind digital currency imBTC, received a notification from Lendf.Me reporting abnormal borrowing activities on their platform. Tokenlon clarified that while the ERC-777 token standard itself is secure, the utilization of ERC777 tokens in conjunction with Uniswap and Lendf.Me contracts facilitated the reentrancy attacks.
Response and Investigation
Mindao Yang, the founder of dForce, acknowledged that the hacker exploited the “callback mechanism” in their DeFi smart contracts to manipulate ERC777 tokens. Despite the breach, Yang expressed intentions to engage in dialogue with the hacker(s) and is actively working to contain the situation.
dForce has taken immediate steps to collaborate with law enforcement across jurisdictions, notify asset issuers and exchanges to blacklist the hacker(s) addresses, and deploy legal resources to address the incident.
For more technical insights into the attacks, refer to the detailed explanation provided by the company.
The cryptocurrency community remains vigilant as cyber threats continue to evolve, emphasizing the importance of robust security measures and proactive response strategies.