There’s no doubt that decentralized finance (DeFi) has been central to the Ethereum ecosystem over the past year. But unfortunately, this use for the second-largest blockchain by its underlying crypto’s market capitalization doesn’t come without its own set of flaws.
Reports indicate that on April 18th, a leading protocol was just hacked for a large sum of Ether and tokenized Bitcoin.
$300,000 in Ethereum & Bitcoin Swiped
According to blockchain developer and DeFi specialist Julien Bouteloup, an attacker managed to drain a Uniswap-based pool (a market), and gained more than $300,000 worth of ETH and an Ethereum-based tokenized version of Bitcoin, imBTC, in the process:
“imBTC TokenIon pool on Uniswap has been attacked and drained. Simple attack vector on Uniswap [allowed them] to steal more than $300,000 in ETH + BTC,” they wrote.
imBTC @tokenlon pool on @Uniswap has been attacked & drained🔥
Simple attack vector on ERC777 (with arbitrary code execution during transfer fct) on Uniswap to steal >$300k (#ETH+#BTC)
The vulnerability was described 16mths ago: https://t.co/a3AiJyY969 https://t.co/MKC2jNP1Y4 pic.twitter.com/cXOVu6le3P
— Julien Bouteloup (@bneiluj) April 18, 2020
Although a post-mortem of the event has not yet been released, Bouteloup claimed that the exploit that allowed the user to make away with such a large sum of crypto was explained by in an audit of the Ethereum-based Uniswap’s protocol 16 months ago.
According to a GitHub post revealing the details of the audit, the exploit involves an attacker creating a “fake exchange (pool)” that resembles the original exchange.
From there, the attacker can manipulate Uniswap to make the price of an asset very cheap in the original pool, allowing them to make awake with coins at a price much lower than their actual market value.
In this case, the coin stolen was a tokenized Bitcoin, imBTC.
Not the First DeFi Hack
This is far from the first time a user has turned a large profit by leveraging bugs in Ethereum-based DeFi protocols over the past few months.
In February, protocol bZx suffered two attacks just days apart from each other. The two attacks weren’t exactly the same, but the gist of both of them are as follows:
- A user took out a “flash loan” of a large sum of ETH from bZx. A flash loan is where a user borrows and returns the loaned capital in the same transaction.
- The ETH was used to purchase another Ethereum-based asset.
- The user deployed manipulation to change how other protocols see the price of said Ethereum-based asset, allowing for profits to be made due to price oracles registering the false values.
The attacks saw bZx users lose $300,000 and around $650,000, for a total of nearly $1 million.
Photo by Markus Spiske on Unsplash