Cyber Incident Victim: Lendf.me
Date:
Apr 2020
Location:
China
Summary
Hackers executed a sophisticated reentrancy attack exploiting interactions between ERC-777 tokens, imBTC, and decentralized finance protocols, initially targeting Uniswap without financial loss before successfully draining approximately $25 million from Lendf.me. The attackers leveraged a known vulnerability documented by OpenZeppelin, withdrawing nearly all funds from the platform through repeated transaction loops. Both platforms were temporarily taken offline to mitigate further exploitation, while imBTC transactions were suspended to prevent additional attacks. Following negotiations via blockchain messages after the attackers inadvertently exposed an IP address, virtually all stolen funds—approximately $23.8 million—were returned, with minor discrepancies attributed to cryptocurrency price fluctuations during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 18-19, 2020, hackers executed two related attacks against decentralized finance (DeFi) platforms Uniswap and Lendf.me, resulting in the theft of approximately $25 million in cryptocurrency from Lendf.me. The first attack targeted Uniswap on Saturday but yielded no losses. The following day, attackers successfully drained roughly 99.5% of Lendf.me's funds using an identical method. Investigators determined both incidents involved a sophisticated reentrancy attack exploiting the interaction between ERC-777 token standards and the platforms' smart contracts. Attackers leveraged a known vulnerability documented in a July 2019 GitHub exploit published by OpenZeppelin, chaining together legitimate blockchain features to create withdrawal loops that bypassed transaction validation checks.
The attackers immediately transferred stolen funds to secondary accounts. Both platforms suspended operations to contain further damage, with Lendf.me and Tokenlon (issuer of the imBTC token involved in the attack) halting all transactions. Tokenlon's post-incident analysis confirmed the ERC-777 standard itself had no inherent flaws, but its implementation alongside Uniswap and Lendf.me's contracts created exploitable conditions. On April 21, after accidentally leaking an IP address during the attack, the hackers returned $23.8 million of the stolen cryptocurrency through blockchain-negotiated settlements with Lendf.me's operators. Analysts attributed the $1.2 million discrepancy to minor cryptocurrency price fluctuations during the two-day negotiation period. The incident highlighted systemic risks in DeFi protocol interactions despite the partial recovery of funds.