8:58 AM. SCT on April 18:
An attacker used a vulnerability in Uniswap and ERC777 to launch an attack.
The partners try to patch it… Lendf.me says everything is ok… Well…

09:28 AM. SCT on April 19:
Tokenlon received a message from Lendf.me about an attack similar to Uniswap that resulted in a large number of abnormal borrowings on the platform.

The capital in dForce dropped by 99.9%!

Comparison of past attacks

This is just one of many attacks in recent months and years:

How did the hacking go? Keyword: Reentrancy Attack

Reentrancy attacks allow hackers to repeatedly withdraw funds in a loop before the original transaction is approved or rejected.

The similarity between Uniswap and Lendf.me is that both platforms use the same 3 protocols:

  1. Lendf.me protocol — a decentralised financial protocol (DeFi) developed by the dForce Foundation to support credit operations on the Ethereum platform.
  2. imBTC — a coin that runs on the Ethereum platform and is covered in a 1:1 ratio with the Bitcoin crypto currency.
  3. ERC-777 — one of the underlying technologies of the Ethereum block chain that is intended to support Smart Contracts (both Lendf.me and imBTC run as such on the Ethereum platform)

The token standard ERC-777 has — according to Tokenlon, the company behind imBTC — no security gaps.

BUT: However, the combination of the use of ERC-777 tokens and Uniswap/Lendf.me made the reentrancy attacks possible.

The bummer: It appears that the hackers used an exploit published on GitHub in July 2019 by OpenZeppelin, a company that performs security checks for cryptocurrency platforms.

Result: 25 million loss

It is currently estimated that Uniswap has lost between $300,000 and $1.1 million in funds, while Lendf.me has lost more than $24.5 million.

Actual problem:

Wrong risk / benefit assessment of Turing-Komplett Smart Contract platforms, where everything is possible — greed often eats brains here:

Solution approaches:

  1. Better risk assessment of users
  2. Better audits
  3. No Turing complete DeFi? Example: https://DeFiChain.io or others

What’s next for LendfMe?

Negotiate with hackers for refunds and commissions:

Confidence-building possible again?

A lot of people lost their money through this hack. The exciting question now will be, how does LendfMe deal with this and how do the members react in the long run?

In the crypto area we have now witnessed some hacks, some were quickly forgotten and trust was quickly rebuilt. Like the hack from Binance, for example. Binance reacted extremely quickly and compensated all those affected, so Binance was able to quickly regain trust. On the other hand, as with Mt. Gox, there was a total loss…

We will find out in the next few days/weeks what exactly happens next.

Your opinion? Should “bad code must die” be implemented?

Cash flow from crypto-currencies secure and verified — but (still) centralized: https://cakedefi.com

Also check https://defichain.io for non-turing-complete DeFi, where such things should not happen in the future.

Your Julian

You can find more such contributions to:
Hackernoon: https://hackernoon.com/u/julianhosp
Medium: https://medium.com/@julianhosp
LinkedIn: https://www.linkedin.com/in/julianhosp/