Author

Topic: [Hack]: Lendf.Me lost $25 million (Read 107 times)

legendary
Activity: 3080
Merit: 1353
April 19, 2020, 06:41:37 PM
#5
They never learned, that vulnerability was exposed months ago with ERC777 here:

https://github.com/ConsenSys/Uniswap-audit-report-2018-12#31-liquidity-pool-can-be-stolen-in-some-tokens-eg-erc-777-29

And it just shows how dangerous Defi can be for crypto community.

It looks like the toxic ERC777 is the imBTC/Uniswap. Yes, I agree that DeFi can be very bad for us with all these attacks and exploits. There is also another article very detailed explanation as how someone can take advantage of the ERC77 swap.

(https://blog.openzeppelin.com/exploiting-uniswap-from-reentrancy-to-actual-profit/)
hero member
Activity: 1344
Merit: 540
April 19, 2020, 06:20:03 PM
#4
They never learned, that vulnerability was exposed months ago with ERC777 here:

https://github.com/ConsenSys/Uniswap-audit-report-2018-12#31-liquidity-pool-can-be-stolen-in-some-tokens-eg-erc-777-29

And it just shows how dangerous Defi can be for crypto community.
hero member
Activity: 3066
Merit: 629
Vave.com - Crypto Casino
April 19, 2020, 06:19:48 PM
#3
These hackers don't do good to the community.
I'm not a user of a DeFi but this will make people stop using it as the tendency of being hacked is there. The incident is fresh and people will be scared of putting their money into it.
hero member
Activity: 2842
Merit: 772
April 19, 2020, 04:13:11 PM
#2
This is definitely another blow to the so called lending and borrowing and the whole DeFi ecosystem itself. DForce was integrating with partnerships and they are really focused on the project.

And it looks like this is the hack address:

https://etherscan.io/address/0xa9bf70a420d364e923c74448d9d817d3f2a77822

legendary
Activity: 2576
Merit: 1655
April 19, 2020, 04:07:05 PM
#1
Popular decentralized lending platform Lendf.Me was recently hacked and lost $25 million.

A Summary of the Attack on Lendf.Me on April 19, 2020

Quote
On 19 April 2020, Lendf.Me, the lending protocol in the dForce network, was attacked and approximately $25 million in assets were drained from the contract.

We know that the hackers utilized a vulnerability within the ERC777 standard of imBTC to execute a reentrancy attack. The callback mechanism of ERC777 (imBTC) enabled the hacker to supply and withdraw imBTC repeatedly before the balance was updated. More analysis on the hack can be viewed from PeckShield’s report.

The hacker(s) have attempted to contact us and we intend to enter into discussions with them.

https://medium.com/dforcenet/a-summary-of-the-attack-on-lendf-me-on-april-19-2020-e2f1c5d96640

So another sad day for crypto enthusiast as the hackers drained all the money, including the founding with a whopping $25 million. I really don't know what to say but damn those hackers. It was reported that the hackers have contacted them, but I don't know if he will give back the money or what. So the attack vector used is by introducing what we call a 'toxic asset' as a collateral and then supposedly borrow some funds, or shall we shall borrow all the funds.
Jump to: