It’s happened again, folks. Another cryptocurrency theft is in the books. This time, the victims are the Uniswap exchange and the Lendf.me lending platform, both of which are reporting combined total losses of more than $25 million.
Uniswap and Lendf.me Have Been Compromised
Cryptocurrency theft is nothing new, but what’s arguably the most frustrating about stories like these is that while many companies and organizations in the industry are seeking to improve their security protocols, hackers are finding new ways to get their fingers on funds that don’t belong to them. Thus, for every step forward the cryptocurrency industry takes, hackers move alongside it.
Several cryptocurrency exchanges have been hacked or compromised over the past six years. Arguably the two biggest examples that come to mind are Mt. Gox and Coincheck. Both occurred in Japan approximately four years apart from each other. Mt. Gox took place in February of 2014, while Coincheck happened in January of 2018.
The former saw more than $400 million in BTC funds disappear overnight, while Coincheck saw more than half-a-billion in altcoin funds drift into hacker-owned accounts. Other exchanges compromised over the past few years include Bithumb and Binance, arguably the largest and most popular crypto exchange in the world.
In addition, crypto theft can occur in different (sneakier) ways. A common method includes crypto jacking, in which a hacker takes over a person’s computer or digital device without their knowledge or consent. Once in, the hacker uses the person’s computing power to mine crypto, typically Monero given its quasi-anonymous properties.
The hacker ultimately makes a mint using the person’s energy, while the original owner gets nothing minus hefty energy bills that show up in their mailbox at the end of each month.
The attack on both Uniswap and Lendf.me took place over the weekend. The incident is now being investigated by law enforcement. It is believed that the attacks on both platforms occurred through the same individual(s), who appear to have instigated what’s known as a “reentrancy attack,” which allows the malicious actor in question to repeatedly withdraw funds before transactions are approved.
Thus, the hacker can get their talons on multiple funds before the transaction closes out. In a statement, Tokenlon – a decentralized exchange – commented:
The ERC-777 token standard has, to our knowledge, no security vulnerabilities. However, the combination of using ERC-777 tokens and Uniswap/ Lendf.me contracts enables… reentrancy attacks.
Both Companies Are Pretty Similar
Both ventures report several similarities in their overall structures and operations. For example, both Lendf.me and Uniswap were decentralized platforms and utilized imBTC, an Ethereum-based token that has virtually the same value as bitcoin.
At the time of writing, both companies have temporarily shut themselves down as the investigation continues. All additional transactions have also been halted to prevent the hackers from garnering further funds.