Home Cyber Attack Hackers Targeted Two Cryptocurrency Platforms To Steal $25 Million Worth Of Crypto Assets

Hackers Targeted Two Cryptocurrency Platforms To Steal $25 Million Worth Of Crypto Assets

by Abeerah Hashim
two cryptocurrency platforms hacked

Hackers targeted two cryptocurrency platforms, Uniswap crypto exchange and Lendf.me lending platform. As reported, the hackers managed to steal cryptocurrency worth $25 million from both platforms.

Two Cryptocurrency Platforms Targeted

Reportedly, hackers have recently targeted two cryptocurrency platforms, Uniswap and Lendf.me, to steal crypto assets worth $25 million. Uniswap is a cryptocurrency exchange, whereas, Lendf.me is a cryptocurrency lending platform.

Briefly, the attackers exploited a reentrancy vulnerability to target both services. Both Uniswap and Lendf.me had a few things in common, which might have triggered similar attacks. These include the involvement of Lendf.me protocol (powered by dForce decentralized finance (DeFi) protocol), imBTC token (powered by imToken), and ERC-777 – an underlying technology of Ethereum blockchain facilitating smart contracts. The same technology empowers imBTC and DeFi protocol to run as smart contracts.

According to an analysis shared by PeckShield, a blockchain security firm, the attackers exploited a reentrancy vulnerability due to the incompatibility of ERC-777 with both smart contracts.

The main logic behind these two incidents is the incompatibility between ERC777 and those DeFi smart contracts, which might be misused by the attacker to utterly hijack a normal transaction and perform additional illicit operations.

Whereas, imToken has also elaborated on the same reason for the attack.

The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.

Regarding how the attackers could conduct this attack, imToken hinted towards a 2019 exploit available on GitHub.

$25 Million Worth Crypto Stolen

Together in both incidents, the attackers could manage to pilfer $25 million worth of cryptocurrency.

Following the attack, imToken suspended the imBTC contract to investigate the matter. They will resume services once both Uniswap and Lendf.me give them the green signal to do so.

As possible mitigation to avoid reentrancy attacks, PeckShield recommends using Checks-Effects-Interactions design pattern.

Let us know your thoughts in the comments.

You may also like

Do NOT follow this link or you will be banned from the site!

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid