Editor's Note: This article comes fromPeckShield(ID:PeckShield), reprinted by Odaily with authorization.
Editor's Note: This article comes from
, reprinted by Odaily with authorization.
Starting at 08:58 am on April 18, a DeFi platform Uniswap was attacked by hackers using a reentrancy vulnerability. The PeckShield security team quickly located the problem and found that hackers used the compatibility flaws of Uniswap and ERC777 standards to carry out re-entry attacks.
Unfortunately, just 24 hours later, at 08:45 am on April 19, another well-known DeFi platform, Lendf.Me, was also attacked by hackers in a similar way.
The principle of the hacker attack is: the attacker uses the transferFrom() callback mechanism of the Ethereum ERC777 standard to hijack the transaction when calling the _callTokensToSend() callback function internally, and conduct a malicious attack before the _move() function that actually updates the balance.
Detailed vulnerability attack details, we will introduce in detail later in the article.
Figure 1: ERC777 transferFrom()
image description
secondary title
ERC777 Standard Business Portfolio Compatibility Issues
One of the functions of the standard extension is to provide a "hook" mechanism, which allows ordinary addresses or contracts to control or refuse to send Tokens by registering a tokensToSend() hook function. This originally strengthened the risk control interface of Token on the basis of ERC20, which is a beneficial improvement. However, due to the composable nature of DeFi projects, when a contract is called between different products, the complexity of its business logic will also greatly increase, which provides the possibility of code injection attacks.
Figure 2: ERC777-Compatible tokensToSend() Hijacking
image description
Figure 3: OpenZeppelin's Exploit Demo (Hook Setup)
Then the attacker can do anything in tokensToSend() just like the hook function on traditional PC. As shown in the figure below, an attacker can make multiple transactions for the same transaction.
Figure 4: OpenZeppelin's Exploit Demo (Hook Function)
image description
Uniswap was the first to exploit ERC777 compatibility issues to carry out attacks. As shown in the screenshot of the malicious transaction in Bloxy (hash: 0x9cb1d93d6859883361e8c2f9941f13d6156a1e8daa0ebe801b5d0b5a612723c1), a tokenToEthSwapInput() call is made inside the function. This means that the attacker can manipulate the transaction exchange rate first, and then exchange another imBTC for more ETH at a lower price.
Figure 5: Uniswap Hack
Lendf.Me attack analysis Figure 6: Lendf.Me Hack About 24 hours after Uniswap was attacked, another DeFi platform Lendf.Me was also hacked. Below is a screenshot of one of the attack transactions. As shown in the figure, when the real transfer function transferFrom() is called in the supply() function, the hooked attacker's contract embeds a withdrawal operation that steals Lendf.Me's withdraw(). It should be noted that the normal business logic should be that the Balance in the project contract will subtract the 290 imBTC withdrawn by the attacker. However, when supply() returns, the balance has not been reset and is still 290 imBTC ( line 1,599). The attacker controls and modifies the imBTC mortgage amount of the attacker in Lendf.Me. With a large enough imBTC mortgage, the attacker can lend all available assets of more than 10 kinds from various liquid trading pairs (total asset value of 25,236,849.44 US dollars) ). Figure 7: Lendf.Me Hack Details secondary title As shown in the figure above, after the attacker made a profit, he immediately transferred each Token to its associated account 0xa9bf70, and then the attacker exchanged the more popular WETH, PAX, BUSD and other Tokens through platforms such as 1inch.exchange and ParaSwap dozens of times. into ETH, DAI, BAT tokens, and deposit the TUSD, USDT tokens in the Aave lending platform. So far, the balance of the attacker and its associated account is shown above.image description
image description
secondary title repair suggestion The PeckShield security team hereby recommends that developers can use the "Checks-Effects-Interactions" approach to prevent such reentrancy attacks. For example, in supply() of Lendf.Me, if the token balance is updated first, then doTransferIn() is called. This will make it impossible for an attack to reset the balance after withdraw(). On the other hand, the ERC777 standard features will inevitably enable the hook mechanism, so we need to detect and prevent all transaction functions from reentrant risks. For example, if supply() and withdraw() run at the same time and a mutex is added, then an attacker cannot perform the withdraw() operation inside the supply() function. The last point that cannot be ignored is that we need to seriously consider the possible systemic risks of the DeFi business portfolio. The platform side must not only ensure that there is a solid code audit and vulnerability investigation before the product goes online, but also conduct business in different products When combining, consider potential systemic risk control issues due to their different business logic.repair suggestion
