imBTC is fully restored, below are current status and background of the incidents.
Current imBTC status
✅ imBTC balances have been and remain accurate
✅ BTC is and has always been secure and 1:1 backed by BTC
✅ imBTC transfer, mint, redeem are back to normal
✅ Tokenlon trading is back to normal
Recently, Uniswap and LendfMe both experienced reentrancy attacks. Due to the lack of protection against reentrancy attacks on the platforms, hackers utilized the tokensToSend method to imBTC(ERC777) to initiate the reentrancy attack.
ERC777 is a token standard that doesn't present a security issue in itself, but it requires an extra handle of its hook function to prevent reentrancy attacks. We recommend handling imBTC integration with additional care. If you are using imBTC with your smart contracts, please take a pause and start self-examination. We hope the community could learn from these unfortunate incidents and establish a complete risk control and insurance framework.
To cooperate with the investigation, the imBTC contract had been paused and later unpaused for the funds to be returned. All other functions (trading, minting, redemption) resumed at 18:00 today. BTC in custody is and has been safe, and imBTC remains 1:1 backed by BTC at any time.
Timeline of the relevant events
12:12 SGT on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.
12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.
17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.
09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one that happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.
10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.
7:34 on April 20th. imBTC contract reopened transfers.
Note: After receiving the hacker’s email, Lendf.me officially contacted us to open transfers so that the hacker can return the tokens.
13:33 on April 21st. The attacker's wallet began to return assets to the Lendf.me administrator wallet.
18:00 on April 22nd. After confirming with Lendf.me that the return of assets was proper, imBTC’s transfer, redemption and trading functions were fully restored.
imBTC is an ERC777 token on Ethereum issued with an 1:1 anchor to BTC. imBTC has been audited by a third-party security team.
Learn more: https://tokenlon.im/imBTC
Contact us in the imBTC DApp in imToken or at firstname.lastname@example.org for business inquiries.