$300 000+ USD

APRIL 2020

UNKNOWN

UNISWAP

DESCRIPTION OF EVENTS

"Uniswap is an Ethereum exchange, built using smart contracts and liquidity pools, as opposed to the order book of a traditional centralized exchange (CEX), such as Binance. With any Ethereum wallet, users can simply connect to the Uniswap application and effortlessly exchange ERC20 tokens without first sending them to the exchange platform account."

 

"[T]he development of Uniswap was facilitated by Vitalik Buterin’s idea for a decentralized exchange (DEX), which would involve an automated market maker. Actually, the protocol developer himself, Hayden Adams, at first tried to just practice development on Solidity, and later this hobby brought him several grants and $100 000 from the Ethereum Foundation. Now the project went far beyond just entertainment and became one of the most important components of the entire DeFi industry."

 

"Started at 12:58:19 AM +UTC, Apr-18–2020, a known reentrancy vulnerability was exploited on Uniswap against the imBTC liquidity pool…" "The exploit allowed the attacker to drain roughly $300k worth of value due to a reentrancy attack which allowed funds to be drained in a similar fashion to what happened with The DAO back in 2016." "[T]he attacker was able to call the Uniswap smart contract to withdraw funds before the external balance could be updated, effectively creating a cycle in which all the tokens in the contract could be purchased for pennies." "The Uniswap cyberattack reportedly exploited an already known shortcoming that majorly affects the ERC777 token standard."

 

"Specifically, in the Uniswap hack, the attacker exploits the vulnerability to drain the Uniswap liquidity pool of ETH-imBTC (with about 1,278 ETH)while in the Lendf.Me hack, the attacker makes use of it to (arbitrarily) increase the internal record of the attacker’s imBTC collateral amount so that she can borrow (and indeed borrow) a variety of 10+ assets from all available Lendf.Me liquidity pools (with total asset value of $25,236,849.44)."

 

"It was confirmed that all Uniswap smart contracts that comprise of imBTC, an ETH-based, tokenized version of BTC that is operated by TokenIon, were entirely drained." "[T]he imBTC pool on Uniswap [was] attacked & drained. The hacker utilized an attack vector on ERC777 tokens on Uniswap." "According to investigators, hackers appear to have chained together bugs and legitimate features from different blockchain technologies to orchestrate a sophisticated "reentrancy attack."" "[T]he combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables [...] reentrancy attacks," "The first target on the attackers’ list was Uniswap, a fully decentralized peer-to-peer cryptocurrency exchange platform, providing users with a means to trade Ethereum cryptocurrency. In this case, the hackers stole between $300,000 and $1.1 million (in imBTC tokens)."

 

"[B]oth Uniswap and Lendf.Me were taken offline to prevent further attacks. Tokenlon said that “imBTC transfers will be resumed after Tokenlon and partners are confident that it is secure to do so.” Users are advised to follow updates on the company’s Twitter page."

Significant funds were stored within a hot wallet/smart contract. In this exploit, one contract is run within another, enabling balances to be reduced before they are checked. This exploit was known since July of 2019, and never patched or investigated until finally being exploited.

HOW COULD THIS HAVE BEEN PREVENTED?

More secure storage of funds would be offline storage with multiple signatures from trained individuals.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.