Uniswap/Lendf.Me Hacks: Root Cause and Loss Analysis

Figure 1: ERC777-Compatible transferFrom()

Root Cause Analysis

If we delve into the ERC777 source code, the vulnerability lies in the internal logic to call the tokensToSend() function when the from address of the transferFrom() operation has registered itself as the implementer (through the standard ERC1820 interface). For illustration, we show in the following code snippets the context when the tokensToSend() function is called. In particular, as shown in line 1054, the getInterfaceImplementer() of ERC1820 is used to retrieve the registered implementer, if any. This particular function takes two parameters, from and TOKENS_SENDER_INTERFACE_HASH: the first argument is essentially the attacker (e.g., the address supplying imBTC into Lendf.Me) and the second is a constant, i..e, keccak256("ERC777TokensSender"). Later on, in line 1056, the tokensToSend() function defined in the implementer is called, which allows the attacker to hijack the transaction by essentially injecting additional malicious code for execution.

Figure 2: ERC777-Compatible tokensToSend() Hijacking
Figure 3: OpenZeppelin’s Exploit Demo (Hook Setup)
Figure 4: OpenZeppelin’s Exploit Demo (Hook Function)

Uniswap Hack

Since the theory behind the Uniswap hack has been described earlier in this post, we’re not going to elaborate further in this blog. Instead, we examine a specific malicious transaction (hash: 0x9cb1d93d6859883361e8c2f9941f13d6156a1e8daa0ebe801b5d0b5a612723c1). Evidently, there is an additional tokenToEthSwapInput() call embedded inside. It means the attacker can trade another batch of imBTC tokens for ETH when the conversion rate has been manipulated to the attacker’s advantage.

Figure 5: Uniswap Hack

Lendf.Me Hack

The Lendf.Me hack works slightly differently, but still in the same nature. If we examine a particular malicious transaction (hash: 0xae7d664bdfcc54220df4f18d339005c6faf6e62c9ca79c56387bc0389274363b), the deposit function, i.e., supply() in Lendf.Me is hooked by embedding an additional withdraw() operation, leading to the effect of increasing the internal record of the attacker’s imBTC collateral amount without actually depositing the amount.

Figure 6: Lendf.Me Hack
Figure 7: Lendf.Me Hack Details

Mitigation

As a common mitigation mechanism to block such reentrancy attacks, the so-called Checks-Effects-Interactions design pattern always helps. For example, if the Lendf.Me’s supply() calls doTransferIn() after saving user updates of token balance, there will be no chance that the attacker could reset the balance updates due to the withdraw() call.

Aftermath

The Lendf.Me hack is a huge blow to current DeFi community. In the following, we put together the amount loss of various assets in this incident:

About us

PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store