The reputation of the DeFi movement took another battering over the weekend as two platforms were hacked for a combined figure of over $25.3 million. dForce and imBTC saw huge amounts of ETH stolen in two separate events that seem to have been carried out by the same hackers, given the nature of the vulnerability that has been exploited. The twin hacks cast further doubt on DeFi’s readiness to be used as a safe alternative to traditional financing.
imBTC Loses $300,000
The first hack, which occurred on Saturday, saw imBTC lose some $300,000 in ETH, with attackers taking advantage of the ERC-777 protocol, a newer version of ERC-20. The hack was carried out using the same ‘reentrancy attack’ that brought down the Ethereum DAO in 2016 – this exploit allows a hacker to re-enter a recently executed smart contract and drain the agreed amount of funds over and over again until no funds remain.
In this case the attacker exploited the Kyber Uniswap smart contract, withdrawing the funds before the external balance could be updated, repeating the cycle until they had taken all the ETH in the imBTC wallet.
imBTC @tokenlon pool on @Uniswap has been attacked & drained🔥
Simple attack vector on ERC777 (with arbitrary code execution during transfer fct) on Uniswap to steal >$300k (#ETH+#BTC)
The vulnerability was described 16mths ago: https://t.co/a3AiJyY969 https://t.co/MKC2jNP1Y4 pic.twitter.com/cXOVu6le3P
— Julien Bouteloup (@bneiluj) April 18, 2020
dForce Taken for $25 Million
Shortly after the imBTC hack, dForce, a Chinese DeFi protocol backed by Multicoin Capital, suffered a potentially crippling hack that saw its total locked-in value plummet from $25 million to just $19,000.
Lendf.me, the lending platform used by dForce, was the subject of the hack, with their security team reporting to Chinese news site Chain News that a reentrancy attack on Uniswap via the ERC-777 token exploit was once again the method of attack. This suggests that the same hackers were responsible for both hacks, potentially using the imBTC hack as a warm up to the massive $25 million Lendf.me hack:
This is the same exploit, hacker achieved unlimited collaterals then drain the pool by borrowing. https://t.co/WkicR04YpT pic.twitter.com/0DcuagwMpz
— WooParadog (@WooParadog) April 19, 2020
DeFi Not Ready
The dual hacks once more call into question the readiness of DeFi to offer a genuine alternative to traditional money lending, at least in the short term. The fact that Uniswap was exploited recalls the two bZx hacks of February, which saw hackers game the various interlocked DeFi platforms that bZx uses, including Uniswap, to steal thousands of ETH.
While the concept of decentralized finance is still very much at the forefront of cryptocurrency’s appeal in a broader sense, we are still at the early stages, and trusting such platforms with your money is seemingly akin to leaving them on a shitcoin exchange and hoping, rather than expecting, that your money won’t be stolen.
All we can hope is that the platforms learn and grow from these attacks and can build better security features before the chance to make a real dent in the traditional forms of finance lending is lost.
