Hackers reportedly exploited some vulnerability in the standard of Ethereum’s ERC-777. Security teams informed that the attack could be related to imBTC, an Ethereum token tied to Bitcoin.
The Chinese decentralized finance (DeFi) lending platform, Lendf.Me, suffered an attack on April 18th. Hackers stole around USD 25 million worth of cryptocurrencies in a new case of vulnerability in these types of services based on smart contracts.
Security teams from dForce, the organization responsible for managing Lendf.Me transactions are investigating what happened, but there were unofficial reports that the theft would be related to some vulnerability in the standard of Ethereum’s ERC-777. The failure may have originated after the integration between Lendf.Me and imBTC, an Ethereum token tied to Bitcoin and using the referred standard as a guarantee. Tokenlon is responsible for managing the tokenized version.
The exploit reportedly allowed criminals to make continuous calls to the smart contract to withdraw funds before an update to the overall balance occurred. The hacker may have initiated the transaction with his supply of imBTC, which occurred at the height of block 9,989,681.
Chinese news media indicated that there was a similar attack on the DeFi lending system, Uniswap, so the same hacker or group of hackers may have acted in both cases. In the latter case, the affected company reported that it suffered losses amounting to around USD 300,000 worth of cryptocurrencies.
Once the failure was detected, the platform suspended its service and instructed its users to stop making transfers of funds until further notice. At the time of writing this article, access to the Lendf.Me website was suspended. Users also received information about the funds that went to the Compound and Aave platforms. Stani Kulechov, founder and CEO of Aave, told digital media that around USD 10 million of the funds went to his protocol.
TokenIon reported on April 19th that there was a suspension of the imBTC contract, awaiting an evaluation of the security situation, to then resume it. The BTC custody supporting imBTC 1:1 was not affected. Users who have imBTC will be able to trade, exchange, transfer, and use other functions after the suspension ends.
The incident with Lendf.Me occurs two months after another DeFi platform, bZx, suffered multiple attacks that led to the loss of USD 350,000 worth of cryptocurrencies. The figure had a subsequent update to USD 645,000, which would eventually be USD 1 million.
The decentralized finance market is flourishing as it allows users to choose instant loans or participate in prediction markets, for example. However, services of this type have also been victims of hackers, who exploit the vulnerability in the smart contracts under which these systems operate.
Developers of blockchain-based security systems should take advantage of these events as opportunities for the creation of increasingly robust systems. Of course, they must always take into account the privacy of users’ data to ensure that they do not lose their funds due to cybercriminals’ attacks.
By Alexander Salazar
