Recently, Uniswap and Lendf.Me experienced two "reentrancy attacks" in which a high amount of user funds were stolen. Below we try to explain what happened.
In order to enable the investigation of possible reentrancy attacks, the imBTC contract has been suspended, waiting for the security incident to be evaluated to be then restarted.
The BTC escrow that backs imBTC 1:1 is not affected. Users holding imBTC will be able to redeem, trade, transfer and use other functions after the suspension is lifted.
Timeline of the relevant events
8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack. For technical details please refer to Open Zeppelin’s explanation here.
12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.
12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.
17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.
09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.
10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.
7:34 on April 20th. imBTC contract reopened transfers.
Note: After receiving the hacker’s email, Lendf.me officially contacted us to open transfers so that the hacker can return the tokens.
13:33 on April 21st. The attacker's wallet began to return assets to the Lendf.me administrator wallet.
14:41on April 21st. According to Lendf.Me, nearly all stolen funds had been returned. LendF.me claims to update users within a week.
18:00 on April 22nd. After confirming with Lendf.me that the return of assets was proper, imBTC’s transfer, redemption and trading functions were fully restored.
The current status of imBTC
imBTC’s transfer, redemption and trading functions were fully restored.
imBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon. The ERC-777 token standard has - to our knowledge - no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.
Please stay tuned to our communication channels. We will continue to release updates about the incident.