Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Uniswap and Lendf.me hacked, attacker stole $25 million worth of cryptocurrency

Hackers have stolen more than $25 million worth of cryptocurrency from the Uniswap exchange and the Lendf.me lending platform. Bad news from cryptocurrency industry, hackers have stolen more than $25 million in cryptocurrency from the Uniswap exchange and the Lendf.me lending platform. According to the experts, the two attacks could be linked, the same hacker […]

Crypto exchange Bybit ETH

Hackers have stolen more than $25 million worth of cryptocurrency from the Uniswap exchange and the Lendf.me lending platform.

Bad news from cryptocurrency industry, hackers have stolen more than $25 million in cryptocurrency from the Uniswap exchange and the Lendf.me lending platform.

According to the experts, the two attacks could be linked, the same hacker might have used an exploit shared on GitHub to hack the two services.

The issue exploited by the attacker was described in a post published by OpenZeppelini in April 2019, a proof-of-concept exploit code was released in July 2019,

The two incidents took place between Saturday and Sunday.

“Started at 12:58:19 AM +UTC, Apr-18–2020, a known reentrancy vulnerability was exploited on Uniswap against the imBTC. liquidity pool. Around 24 hours later, at Apr-19–2020 12:58:43 AM +UTC, a similar hack occurred on Lendf.Me.” reads the analysis published by Blockchain security firm PeckShield. “Technically, the main logic behind these two incidents is the fact that the implementation of ERC777-compatible transferFrom() has a callback mechanism, which allows the attacker to utterly hijack the transaction and perform additional illicit operations (via _callTokensToSend()) before the balance is really updated (i.e., inside _move()).”

Attackers have chained a reentrancy vulnerability with other issues and legitimate features from different blockchain technologies to hack the platforms.

A reentrancy attack consists in withdrawing funds repeatedly before the legitimate transaction is approved or declined.

In the hack of the Uniswap platform, the attacker exploited the issue to steal funds from the Uniswap liquidity pool of ETH-imBTC (containing about 1,278 ETH). In the case of the Lendf.Me hack, the attacker exploited the same issue to increase the internal record of the attacker’s imBTC collateral amount so that she can borrow (and indeed borrow) a variety of 10+ assets from all available Lendf.Me liquidity pools (with total asset value of $25,236,849.44).

According to Tokenlon, the company behind the imBTC token (coin) that runs on the Ethereum platform, the ERC-777 is not affected by security known issues.

The problem results by combining the ERC777 tokens and Uniswap/Lendf.Me contracts.

imBTC is an ERC-777 token anchored 1:1 to BTC (compatible with the ERC20 standard) issued by Tokenlon. The ERC-777 token standard has — to our knowledge — no security vulnerabilities. However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the above mentioned reentrancy attacks.” reads the post published by Tokenlon DEX.

It seems that the hacker has stolen between $300,000 and $1.1 million in funds from Uniswap, and more than $24.5 million from Lendf.me.

Tokenlon has suspended its imBTC token as precautionary measure and blocked all new transactions. Both Uniswap and the Lendf.me have been taken down to prevent further attacks.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Uniswap, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]