Hackers stole more than $25 million worth of cryptocurrency from leading Chinese decentralized finance protocol dForce this weekend. The attack was done when hackers exploited the vulnerabilities of Ethereum token standard.
The funds were stolen when hackers attacked Lendf.Me, a lending platform that is part of dForce. According to the data of DeFi Pulse, funds on dForce dropped from $25 million to $10.000 overnight. The stolen funds were immediately sent into top DeFi lending protocols Compound and Aave.
The attack came a few days after dForce raised $1.5 million in a seed round led by crypto Multicoin Capital venture capital fund.
A bit earlier this weekend $300.000 worth of cryptocurrency was stolen from Uniswap. A decentralized cryptocurrency exchange allows trading ERC-20 tokens.
Reentrancy attacks used to steal funds
The investigation is currently underway, however, two attacks are most likely related and carried out by the same group or individual.
The similarities between the Uniswap and Lendf.me is that both platforms used imBTC. A token runs on the Ethereum platform and is valued at a 1:1 ratio with the Bitcoin. imBTC token is operated on a decentralized exchange Tokenlon.
It is believed that the attacks targeted a vulnerability inseparable from Ethereum’s (ETH) ERC-777 token standard. ERC-777 is one of the underlying technologies of the Ethereum blockchain meant to support smart contracts. Meanwhile, both Lendf.me and imBTC run as smart contracts on the Ethereum platform.
According to Tokenlon announcement, Uniswap and Lendf.Me experienced “reentrancy attacks”. The kind of attack allows hackers to withdraw funds repeatedly before the original transaction is approved or declined. The funds drained from each platform were transferred into the attacker’s wallets, and then immediately removed to other accounts.
Both Tokenlon and Lendf.Me are temporally paused to prevent further attacks. Tokenlon also suspended its imBTC token and is blocked all new transactions to prevent new attacks against other platforms. Uniswap plans to fix the vulnerability in the nearest future.