A deep dive into the Uniswap and Lendf.me incidents and what they mean for Ethereum’s DeFi ecosystem.
The Question of Security in DeFi Applications
2020 has proven a critical year for the Ethereum DeFi ecosystem. In addition to celebrating over $1B USD locked in DeFi and significant platform milestones, the industry has been subject to frequent occurrences of minor and major security incidents across both new and established DeFi applications. The bZx and Maker events of February and March have been well-covered, but we have pulled some data and insight into recent events on the Uniswap and Lendf.me protocols, specifically around the compromise of the ERC-777 token standard that allowed hackers to drain $25M worth of crypto on April 18th and19th.
The imBTC token is an ERC-777 token released by Tokenlon, a DEX running on the 0x protocol. In both the Uniswap and Lendf.me incidents, the hacker(s) exploited a reentrancy vulnerability that arose from the incompatibility between the ERC-777 token standard and the DeFi protocols. Broadly speaking, the reentrancy vulnerability allowed the hacker to essentially re-spend initial deposits of imBTC, effectively providing them with unlimited capital to enact trades or borrows.
The attack was made possible because Uniswap V1 does not have measures in place to guard against this type of reentrancy attack when interacting with the ERC-777 standard. In total, the hacker made away with ~$300k USD in imBTC and ETH (~$141k ETH + ~$160k imBTC).
Interestingly, this attack vector was not unknown to Uniswap or to the crypto community at large. Almost exactly a year before the Uniswap attack, ConsenSys Diligence — the security audit service offered by ConsenSys — identified and published the ERC-777 reentrancy attack vector. Uniswap had plans to address the attack vector, as outlined in their March 23 blog post about the features of Uniswap V2.
The Lendf.me incident exploited the same reentrancy vulnerability made available by the incomplete compatibility between the lending protocol and the ERC-777 token standard, but to a far more extensive degree of success. Nearly 100% of Lendf.me’s funds — over $24m USD — was drained during the attack on April 19.
Unlike in the Uniswap event, the stolen funds were not limited to just ETH and imBTC. Though the majority of stolen funds were WETH ($10.8m), USDT and HBTC made up for an additional $9.7m, followed by at least 16 other tokens. The graphs below show the asset distribution of compromised funds and the monthly token volumes on Lendf.me leading up to the attack on April 19.
In an unexpected turn of events, the Lendf.me hacker(s) returned the stolen funds to the protocol, reportedly because they accidentally exposed an IP address during the attack. The Sankey diagram below shows the flow of funds after the hack. Funds left the Lendf.me contract (green), went through the handler contract (gray), and to the hacker’s address (black). After the IP was revealed, the hacker transferred the funds back to the Lendf.me admin address, which then transferred the funds to a recovery address (both in purple). The far right of the graph, where the diagram flows out into many individual fund streams, marks the moment when Lendf.me returned funds to individual users.
What Does This Mean for DeFi?
Despite these waves of security incidents on DeFi protocols, the industry is still overwhelmingly positive about the opportunities of DeFi and the momentum it is bringing to Ethereum. Objective DeFi statistics support positive sentiment. In response to security events this year and considerable market pressures beginning in March, locked ETH has decreased from an all-time high in February. However, levels have dipped only to December 2019 numbers.These statistics, even in the face of high-profile security incidents, suggests the DeFi ecosystem as a whole has surpassed some point of “no return.” Though confidence in individual protocols has suffered, overall commitment to the emerging paradigms of decentralized finance has remained strong.
During these 2020 security incidents, the Ethereum community has focused attention on ways to prevent and respond to future events. Generally speaking, there is the value proposition of all these hacks occurring on open technology. Without needing particular permission or access, third-party security auditors and dapp developers have been able to freely analyze the incidents, warn against other weaknesses, and propose fixes for future DeFi applications. These incidents reveal the cooperative ethos of open software, and set the stage for a more secure ecosystem. In particular:
DeFi Monitoring Tools
Leveraging the openness of the Ethereum blockchain, a host of DeFi-related monitoring tools are available to the public to more confidently interact with financial applications. Codefi Inspect is an open source tool to aggregate critical security information about DeFi protocols, including public audits, admin key details, oracle dependency, and on-chain activity. Codefi’s DeFi Score is a value of platform risk that can be compared across protocols to better inform users’ decisions when choosing between DeFi applications.
Dapps are becoming more open about identified security vulnerabilities. Uniswap acknowledged the ERC-777 issue in their March 2020 blog post. A developer from the trading protocol Hegic published an open ‘post-mortem’ about a bug in her code that rendered some funds inaccessible. Exchange protocol Loopring identified a front-end vulnerability, paused the exchange, announced to the community, and worked to fix the issue. This sort of transparency is crucial to building trust among new and existing users and to scaling a more secure network of DeFi protocols.
Blockchain-based insurance has been around for a while, but has been brought sharply into focus these past few months. Nexus Mutual — an blockchain insurance veteran — and more recently Opyn have (re)emerged as top players in this adjacent DeFi industry. Security vulnerabilities are likely to exist in any technology field, whether emerging or incumbent. The more protective measures that exist alongside these technologies, the easier the path to widespread adoption.
Get the latest DeFi news straight to your inbox.
Subscribe to the ConsenSys newsletter for more DeFi news and analysis.
Originally published at https://codefi.consensys.net on May 12, 2020.
Thoughts on DeFi Security was originally published in ConsenSys Media on Medium, where people are continuing the conversation by highlighting and responding to this story.