QI Quadriga Initiative

Apr 2020 - Uniswap ERC777 Reentrancy Attack - $300k+ (Unknown)

"Uniswap is an Ethereum exchange, built using smart contracts and liquidity pools, as opposed to the order book of a traditional centralized exchange (CEX), such as Binance. With any Ethereum wallet, users can simply connect to the Uniswap application and effortlessly exchange ERC20 tokens without first sending them to the exchange platform account."

"[T]he development of Uniswap was facilitated by Vitalik Buterin’s idea for a decentralized exchange (DEX), which would involve an automated market maker. Actually, the protocol developer himself, Hayden Adams, at first tried to just practice development on Solidity, and later this hobby brought him several grants and $100 000 from the Ethereum Foundation. Now the project went far beyond just entertainment and became one of the most important components of the entire DeFi industry."

"Started at 12:58:19 AM +UTC, Apr-18–2020, a known reentrancy vulnerability was exploited on Uniswap against the imBTC liquidity pool…" "The exploit allowed the attacker to drain roughly $300k worth of value due to a reentrancy attack which allowed funds to be drained in a similar fashion to what happened with The DAO back in 2016." "[T]he attacker was able to call the Uniswap smart contract to withdraw funds before the external balance could be updated, effectively creating a cycle in which all the tokens in the contract could be purchased for pennies." "The Uniswap cyberattack reportedly exploited an already known shortcoming that majorly affects the ERC777 token standard."

"Specifically, in the Uniswap hack, the attacker exploits the vulnerability to drain the Uniswap liquidity pool of ETH-imBTC (with about 1,278 ETH)while in the Lendf.Me hack, the attacker makes use of it to (arbitrarily) increase the internal record of the attacker’s imBTC collateral amount so that she can borrow (and indeed borrow) a variety of 10+ assets from all available Lendf.Me liquidity pools (with total asset value of $25,236,849.44)."

"It was confirmed that all Uniswap smart contracts that comprise of imBTC, an ETH-based, tokenized version of BTC that is operated by TokenIon, were entirely drained." "[T]he imBTC pool on Uniswap [was] attacked & drained. The hacker utilized an attack vector on ERC777 tokens on Uniswap." "According to investigators, hackers appear to have chained together bugs and legitimate features from different blockchain technologies to orchestrate a sophisticated "reentrancy attack."" "[T]he combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables [...] reentrancy attacks," "The first target on the attackers’ list was Uniswap, a fully decentralized peer-to-peer cryptocurrency exchange platform, providing users with a means to trade Ethereum cryptocurrency. In this case, the hackers stole between $300,000 and $1.1 million (in imBTC tokens)."

"[B]oth Uniswap and Lendf.Me were taken offline to prevent further attacks. Tokenlon said that “imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.” Users are advised to follow updates on the company’s Twitter page."

Further Analysis

Significant funds were stored within a hot wallet/smart contract. In this exploit, one contract is run within another, enabling balances to be reduced before they are checked. This exploit was known since July of 2019, and never patched or investigated until finally being exploited.

How Could This Have Been Prevented?

More secure storage of funds would be offline storage with multiple signatures from trained individuals.

More Cryptocurrency Exchange Hacks/Scams/Frauds

MetaMask Malicious Chrome Extensions > > < < KeepKey Scam Chrome Application Theft

Sources/Further Reading

DForce DeFi Protocol Breached, $25 Million in BTC and ETH Lost (Jun 10)
Tokenlon DEX on Twitter: "Today, the imBTC pool on Uniswap has been attacked... (Jun 21)
Hackers steal $25 million worth of cryptocurrency from Lendf.me platform | ZDNet (Jun 21)
GitHub - OpenZeppelin/exploit-uniswap: Exploiting a Uniswap exchange that uses an ERC777 token by leveraging the reentrant microtrading attack vector (Jun 21)
A hackers’ dream payday: Ledf.Me and Uniswap lose $25 million worth of cryptocurrency - Security Boulevard (Jun 21)
imBTC Uniswap Pool Drained for ~$300k in ETH - DeFi ERC777 Exploit (Jun 21)
Exploiting Uniswap: from reentrancy to actual profit – OpenZeppelin blog (Jun 21)
Uniswap/Lendf.Me Hacks: Root Cause and Loss Analysis (Jun 21)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20)
SlowMist Hacked - SlowMist Zone (May 18)
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23)
Uniswap Lendf Me Hacks Root Cause And Loss Analysis (Jun 22)
How Does Uniswap Work (Jun 5)
Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021? | CertiK Foundation Blog (Jul 23)
Security Risks in Ethereum DeFi | ConsenSys Codefi (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.