WHAT HAPPENED? An attacker used a vulnerability in and ERC777 to launch an attack. 8:58 AM. SCT on April 18: Uniswap The partners try to patch it… says everything is ok… Well… Lendf.me received a message from about an attack similar to that resulted in a large number of abnormal borrowings on the platform. 09:28 AM. SCT on April 19: Tokenlon Lendf.me Uniswap The capital in dForce dropped by 99.9%! Comparison of past attacks This is just one of many attacks in recent months and years: How did the hacking go? Keyword: Reentrancy Attack Reentrancy attacks allow hackers to repeatedly withdraw funds in a loop before the original transaction is approved or rejected. The similarity between and is that both platforms use the same 3 protocols: Uniswap Lendf.me Lendf.me protocol — a decentralised financial protocol (DeFi) developed by the dForce Foundation to support credit operations on the Ethereum platform. imBTC — a coin that runs on the Ethereum platform and is covered in a 1:1 ratio with the Bitcoin crypto currency. ERC-777 — one of the underlying technologies of the Ethereum block chain that is intended to support Smart Contracts (both Lendf.me and imBTC run as such on the Ethereum platform) The token standard ERC-777 has — according to Tokenlon, the company behind imBTC — no security gaps. However, the combination of the use of ERC-777 tokens and Uniswap/Lendf.me made the reentrancy attacks possible. BUT: It appears that the hackers used an exploit published on GitHub in July 2019 by OpenZeppelin, a company that performs security checks for cryptocurrency platforms. The bummer: Result: 25 million loss It is currently estimated that has lost between $300,000 and $1.1 million in funds, while has lost more than $24.5 million. Uniswap Lendf.me Actual problem: Wrong risk / benefit assessment of Turing-Komplett Smart Contract platforms, where everything is possible — greed often eats brains here: Solution approaches: 1- Better risk assessment of users 2. Better audits 3. No Turing complete DeFi? Example: or others https://DeFiChain.io What’s next for LendfMe? Negotiate with hackers for refunds and commissions: Confidence-building possible again? A lot of people lost their money through this hack. The exciting question now will be, how does LendfMe deal with this and how do the members react in the long run? In the crypto area we have now witnessed some hacks, some were quickly forgotten and trust was quickly rebuilt. Like the hack from Binance, for example. Binance reacted extremely quickly and compensated all those affected, so Binance was able to quickly regain trust. On the other hand, as with Mt. Gox, there was a total loss… We will find out in the next few days/weeks what exactly happens next. Your opinion? Should “bad code must die” be implemented? Cash flow from crypto-currencies secure and verified — but (still) centralized: https://cakedefi.com Also check for non-turing-complete DeFi, where such things should not happen in the future. https://defichain.io Your Julian You can find more such contributions to: Blog: LinkedIn: https://julianhosp.com/blog/ https://www.linkedin.com/in/julianhosp/

Uniswap

Flow

DeFiChain

Chain

Binance

Get 8% casfhlow from crypto!

Read My Stories

Too Long; Didn't Read

Discover Saakuru: Web3 Mass-Adoption with 0-FEES

Is DeFi Now Dead? Inside the dForce / LendfMe 25 Million USD Hack!

Too Long; Didn't Read

Company Mentioned

Coins Mentioned

Dr. Julian Hosp

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Is DeFi Now Dead? Inside the dForce / LendfMe 25 Million USD Hack!

Too Long; Didn't Read

Company Mentioned

Coins Mentioned

Dr. Julian Hosp

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES