Editor's Note: This article comes fromChain News ChainNews (ID: chainnewscom), Written by LeftOfCenter, published with permission.
Editor's Note: This article comes from
Chain News ChainNews (ID: chainnewscom)
Chain News ChainNews (ID: chainnewscom)
, Written by LeftOfCenter, published with permission.
The author is especially grateful to Yu Xian, the founder of SlowMist Technology, for his help with this article.
It's been a restless weekend for DeFi investors. Nearly $25 million worth of assets on the well-known DeFi loan agreement Lendf.Me platform were looted by hackers, but it took only an hour.
Around 9:00 am on Sunday, April 19th, Beijing time, Xu Yong from DeBank took a screenshot in the WeChat group to indicate that the utilization rate of funds on the Lendf.Me platform was abnormal. At that time, almost all lendable assets on the platform had extremely high lending rates. The utilization rate of many assets was as high as 99%, and the utilization rate of imBTC was 100%. Data from DeFi Pulse also shows that assets locked on the Lendf.Me platform have fallen rapidly.
WETH: 55159.02134,
WBTC: 9.01152,
CHAI: 77930.93433,
HBTC: 320.27714,
HUSD: 432162.90569,
BUSD: 480787.88767,
PAX: 587014.60367,
TUSD: 459794.38763,
USDC: 698916.40348,
USDT: 7180525.08156,
USDx: 510868.16067,
imBTC: 291.3471
Soon, Tokenlon issued an announcement announcing the suspension of imBTC transactions.
The Lendf.Me team later confirmed that at 8:45 Beijing time, it was hacked at block height 9899681. The team stated that the website has been shut down and an investigation has been launched. The technical team has located the problem and advised all users on the web page to stop depositing assets into the lending agreement.
So far, hackers have emptied all user storage assets on the Lendf.Me platform. On-chain data shows that after the attack, the USD value of Lendf’s locked assets instantly dropped by 100% to USD 6, while the previous total locked value exceeded USD 24.9 million. Observations on the chain found that attackers continued to exchange stolen assets into ETH and other tokens through DEX platforms such as 1inch.exchange, ParaSwap, and Tokenlon.
According to the statistics released by the blockchain security company SlowMist Technology at that time, the cumulative loss of Lendf.Me being attacked was about 24,696,616 US dollars. The specific stolen currency and amount are as follows:
At this time, we can easily think of bzx, which had a flash loan attack not long ago. That attack also took place on a Saturday in January, and a total of 900,000 US dollars was stolen in two attacks. At that time, many DeFi enthusiasts suddenly realized that the booming DeFi was not as safe as imagined.
On Sunday night, things took a more dramatic turn when the hackers began returning some assets to Lendf.Me.
This action was also confirmed in an official statement released by the team later. Yang Mindao, the founder of dForce, the initiator of the Lendf.Me platform, said in an article published later, "Hackers tried to contact us, and we intend to discuss with them." The admin account of the Lendf.Me platform responded to the attacker through a memo. Yang Mindao said that he is cooperating with exchanges and law enforcement agencies to track down the hackers and do his best to rescue the stolen funds.
At the same time, many victims of the Lendf.Me platform left messages to the hackers through transfers, begging the other party to return their hard-earned money. So far, the hacker theft has evolved into a large group incident.
The team also announced several follow-up measures to solve the incident, including: 1. Contacted top security companies to conduct a more comprehensive security assessment of Lendf.Me; 2. Worked with partners to develop solutions and capitalize the system Reorganization, "Although we have been attacked, we will not be brought down"; 3. We are working with major exchanges, OTC traders and law enforcement agencies to investigate the situation, seize the stolen funds and track down the hackers.
As of now, the investigation and interception of the stolen funds is ongoing.
secondary titleEtherscanRestore attack process
The current known situation is that the attacker took advantage of a "feature" of the ERC-777 standard adopted by imBTC to execute a "reentrancy attack" (reentrancy attack), resulting in assets with a market value of about 25 million US dollars being stolen from the Lendf.Me contract. take out.
SlowMist has restored the details of this attack in detail: the address of the attacker who attacked Lendf.Me is 0xa9bf70a420d364e923c74448d9d817d3f2a77822, and this time the attacker implemented it by deploying the contract 0x538359785a8d5ab1a741a0ba94f26a800759d91d.
by viewing
One of the last transactions found:
The attacker first deposited 0.00021593 imBTCs, but successfully withdrew 0.00043188 imBTCs from Lendf.Me, that is to say, the withdrawn amount was almost double the deposited amount.
So how did the attacker get doubled balance from a short transaction? Next, SlowMist made an in-depth analysis of every action in a transaction:
The attacker made two calls to the supply() function on Lendf.Me, but these two calls are independent, not calling the supply() function again in the previous supply() function;
Immediately afterwards, during the second call of the supply() function, the attacker initiates a call to the withdraw() function of Lendf.Me in his own contract, and finally withdraws;
The attacker’s withdraw() call occurs in the transferFrom function, that is, when Lendf.Me calls the user’s tokensToSend() hook function through transferFrom. Obviously, the attacker re-entered the Lendf.Me contract through the supply() function, causing a re-entrancy attack.
If the above technical details are not so easy for Xiaobai to understand, then, you can use the following analogy to understand what a reentrancy attack is:
Teller B inquired about the amount of A's account, and recorded the amount into the "temporary account to be withdrawn". However, before teller B withdraws the money from the "temporary account to be withdrawn" and updates A's account amount and resets A's "temporary account to be withdrawn", A has disappeared;
A came to another branch at the speed of light, and told the teller C of the branch that he needed to withdraw money, and the teller C performed the operation of the previous teller B again: inquired about the amount of A's account, and recorded the amount again to "temporary withdrawal pending withdrawal" Account", withdraw money from the "temporary account to be withdrawn" and update A's account amount and reset A's "temporary account to be withdrawn";
In the end, this caused A to withdraw twice his own amount of money, and so on, until all the funds in the bank were wiped out.
In the case of the Lendf.Me hack, A corresponds to the hacker, and the bank is Lendf.Me.
secondary title
Where does the disaster come from?
This is a landmark hacking incident in the DeFi field, which has triggered extensive discussions in the industry. The scope is not limited to the hacked amount and the project itself, but also involves the importance of security, the meaning of open finance, the inclusiveness of the community and even the Misconceptions and prejudices in the Western blockchain community.
First of all, $25 million is not a small loss, it may be all the savings of ordinary users on the platform. For these early explorers in the DeFi field, skepticism about centralized platforms led them to embrace open finance. This time, this heavy price is undoubtedly a heavy blow, which has hit their confidence in DeFi.
For the project side, this may mean starting all over again. As one of the leaders in DeFi, Lendf.Me is a star blockchain project initiated from China and a rising potential star. It has only been half a year since its launch in September 2019, and it has a place in the open financial lending market and has already Developed into the largest fiat currency stablecoin lending agreement. Before the attack, it had nearly $30 million in assets and nearly $10 million in outstanding loans. Just a few days ago, Lendf.Me received a strategic investment of US$1.5 million from Multicoin Capital, Huobi Capital and CMB International.
Yang Mindao, the founder of dForce, also stated in the statement that he personally suffered serious financial losses in this hacking attack.
To make matters worse, in addition to the direct victims, the indirect damage caused by this incident may be even greater. In February of this year, DeFi just ushered in a milestone event (locked assets exceeded 1 billion US dollars), and as an important real use case of Ethereum, this may lose confidence in Ethereum and even the entire public chain.
In response to this attack, some community members believe that the platform has an inescapable responsibility. Lendf.Me itself, as the operator, did not review the contract security on the interface side enough, which led to accidents. In this regard, the team stated that it has contacted top security companies to conduct a more comprehensive security assessment of Lendf.Me, and it is expected that the team will strengthen this aspect in the future.
There is also another voice that believes that Tokenlon, the asset issuer of imBTC, bears some responsibility. After the Uniswap accident shut down the contract transfer of imBTC the night before, it reopened the contract transfer function of imBTC, giving hackers an opportunity machine.
However, the information disclosed by Tokenlon stated that before imBTC’s transfer function was restarted at 17:00 on April 18, it had communicated with Lendf.Me and other imBTC cooperation platforms, and was confirmed by Lendf.Me and other cooperation platforms that the security risk assessment was not After the problem, the transfer function will be restarted.
imBTC is an ERC-777 token (compatible with ERC-20) anchored at 1:1 with BTC. It is issued and supervised by Tokenlon. imBTC adopts the ERC-777 token standard specification.
For security reasons, many investors have begun to check which platforms involve ERC-777 standard tokens, and the ERC-777 standard has changed color for a while.
There are also people who complain about the protocol standard, thinking that the protocol itself is fine, but the developers did not consider the compatibility issues in it when using it.
For example, some developers believe that ERC20 is to ERC777, just like Bitcoin is to Ethereum. Although ERC20 is more secure, its functions have limitations.
The ERC20 standard, born in 2015, has very simple functions, so it is also very popular. But for a system trying to create "programmable money," the ERC 20 token standard is very limited, and its limitations have led to many of Ethereum's user experience issues.
The ERC 777 standard can be regarded as an upgraded version of the ERC 20 standard. As a new token standard, it is backward compatible with ERC20 and adds some new functions. These functions include data fields, operators, and contract wallets. Features such as rejecting unwanted tokens.
But the biggest problem that ERC 777 can solve is that by adding a "hook" to provide a payment function for tokens other than Ethereum tokens, this enables the transaction of converting Dai to ETH in Uniswap to be completed in one step.
For students who are not familiar with the ERC20 token standard, here is a simple science popularization: Since the ERC20 token standard does not have a "payment function", multiple transactions are required when performing token transactions. For example, if you use Uniswap to convert ETH to Dai, Basically, you can get Dai by sending ETH, but if you convert Dai to ETH, you need to make a transaction to approve Dai before it can be exchanged for ETH.
The reason for this problem is that the ERC20 standard has no "payment function", which allows the contract to execute code when receiving ETH, but cannot execute code when receiving tokens other than ETH. ERC 777 solves this problem by adding a "hook", allowing the transaction of converting Dai to ETH to be completed in one step.
However, reentrancy attacks are nothing new. The "The DAO incident" that led to the split of Ethereum in 2017 was caused by reentrant attacks. For developers, the new thing may be that re-entry attacks can also affect tokens other than ETH. Previously, developers may have understood that: ETH transfers are vulnerable to re-entry attacks, but other token transfers are vulnerable to re-entry attacks. is safe.
This incident has also triggered a reflection on the entire DeFi ecosystem.
DeFi, known as currency Lego, has the characteristics of composability and interoperability, which brings us countless possibilities. But the other side of the coin is also the biggest problem of DeFi: as a complex system, the risk of DeFi will be infinitely magnified, and the security of the system depends on the shortest piece of wood. The system will be dragged down. This is the classic barrel principle.
For this reason, one of the defensive suggestions given by the security team SlowMist is: "When connecting multiple contracts, it is necessary to check the code security and business security of multi-party contracts, and fully consider the combination of various business scenarios. Security Question."
secondary title
rethink
Those early explorers who turned from centralized platforms to DeFi out of concerns about security risks suddenly discovered that the security problems of decentralization seem to be even greater.
Especially in the past year, there have been many accidents in the DeFi field.
In June 2019, Synthetix was attacked by an oracle machine and lost more than 37 million sETH synthetic tokens.
In January of this year, bZx was attacked twice, and the loss amounted to 900,000 US dollars;
In March of this year, the Zap smart contract provided by the new DeFi star project iearn.finance did not check the slippage, which led to an abnormal transaction on the stable currency trading platform Curve. After that, the losers hardly suffered losses through human intervention, but its founder Andre Cronje said that he could not bear the social pressure and would let the project operate on its own.
The black swan event that occurred on March 12 caused some liquidators to win the auction of the Ethereum collateral liquidation procedure with a bid of 0, resulting in MakerDAO having nearly $5 million in outstanding debt undercollateralized, resulting in multiple mortgages. All collateral was lost during the market sell-off.
The day before the Lendf.Me hack, hackers took advantage of Uniswap’s ERC777 compatibility issues to steal over $300,000 worth of imBTC.
Clearly, this incident with Lendf.Me is not the first and will not be the last.
The hacking incident sounded the alarm for the entire industry, forcing various projects to start reviewing their own security vulnerabilities.
One day after the Lendf.Me incident, Curve, a decentralized stablecoin trading platform that uses bonding curves for market making, announced that there were loopholes in its sUSD fund pool contract, saying that "all loopholes have been resolved, funds are safe, and no losses have occurred." Curve asks users to withdraw their funds and wait for the new contract to be deployed. Changes to the new contract will be audited.
So far, platforms compliant with the ERC-777 standard have begun to take action. The Ethereum "lossless lottery" platform PoolTogether announced that it has removed the ERC-777 standard token plDai, which was previously a small pool of funds for third-party developers, involving only about 480 plDai. However, Yu Xian, the founder of SlowMist, said, "Removing plDai is not a complete solution. Their own code is also compatible with ERC-777, so their own code needs to be strengthened."
Another blockchain security team, PeckShield, proposed an effective solution, suggesting that developers adopt the "Checks-Effects-Interactions" approach to prevent such reentry attacks. For example, in supply() of Lendf.Me, if the token balance is updated first, then doTransferIn() is called. This will make it impossible for an attack to reset the balance after withdraw().
This is an excellent opportunity for summary and reflection, allowing the project and users themselves to begin to examine the importance of security. In the long run, this is beneficial to the development of the entire industry.
For the project party, the most important thing in the future is to prevent the passing of time, and "how to maximize the security of platform funds" / For this reason, SlowMist has put forward a series of defense suggestions:
Add a lock mechanism to key business operation methods, such as: ReentrancyGuard of OpenZeppelin;
When developing a contract, use the writing style of first changing the variables of this contract, and then making external calls
Before the project goes online, an excellent third-party security team is invited to conduct a comprehensive security audit to discover potential security issues as much as possible
When multiple contracts are connected, it is also necessary to check the code security and business security of the multi-party contracts, and fully consider the security issues under the combination of various business scenarios
The contract should set the pause switch as much as possible, so that when a "black swan" event occurs, it can be detected in time and stop the loss
Security is dynamic, and each project party also needs to capture threat intelligence that may be related to its own project in a timely manner, and promptly investigate potential security risks
At the user level, each attack will reduce the user's confidence in DeFi by a few points. If there are no pre-measures, users will lose confidence in DeFi. For DeFi, confidence is very important. Without confidence, DeFi has no future.
refer to:
Huge centralized exchanges still have remedial measures. In the event of asset loss, a well-funded centralized institution will generally compensate users for losses and set up an insurance pool. How should the remedy for decentralized finance proceed? Decentralized insurance or a joint bottom line? Without the endorsement of a centralized institution, it is essentially seeking an effective mechanism for public land governance.
