SlowMist: Restore the truth about the Lendf.Me hacking incident (Released in 2020)
In the early morning of April 22, dForce officially issued a document stating that as of 14:41 pm on April 21, nearly $25 million in stolen digital assets had been recovered.
After the attack on April 19, the SlowMist security team has been keeping a close eye on it, constantly tracking the movement of stolen assets, counting the total loss, and analyzing the hacking process. The following is a brief review of the incident.
- At 8:58 on April 19th, hackers began to attack the Lendf.Me contract.
- At 10:59 on April 19th, the SlowMist security team issued an attack warning:
Just now, the SlowMist security team discovered that Lendf.Me has been attacked, and the site is currently closed. The SlowMist security team analyzed and found that it was similar to yesterday’s attack on Uniswap, and it is very likely that it was done by the same group. The SlowMist security team is intensively following up and analyzing, and detailed information will be output later.
- At 12:25 on April 19th, the SlowMist security team issued an early warning of asset exchange by attackers:
According to the monitoring of the Anti-Money Laundering (AML) system of SlowMist, the Lendf.Me attacker 0xa9bf70a420d364e923c74448d9d817d3f2a77822 is continuously transferring the PAX profited from the attack to ETH. The exchange platforms used include 1inch.exchange, ParaSwap, etc. The SlowMist security team hereby reminds exchanges and wallets to pay attention to strengthening address monitoring to prevent related malicious funds from flowing into the platform.
- At 14:00 on April 19th, the security teams of dForce, Spark and imToken assembled offline, and remotely connected with the security team of SlowMist to set up a “temporary security team” to start asset recovery.
- At 15:03 on April 19th, the SlowMist security team issued a statistical warning on the amount of losses:
According to statistics from the SlowMist Anti-Money Laundering (AML) system, according to the assets obtained from Lendf.Me according to the attack contract (0x538359785a…759D91D) deployed by the attacker, the cumulative loss is about 24,696,616 US dollars, the specific currency and amount stolen for:
WETH: 55159.02134,
WBTC: 9.01152,
CHAI: 77930.93433,
HBTC: 320.27714,
HUSD: 432162.90569,
BUSD: 480787.88767,
PAX: 587014.60367,
TUSD: 459794.38763,
USDC: 698916.40348,
USDT: 7180525.08156,
USDx: 510868.16067,
imBTC: 291.3471After that, the attackers continued to exchange the stolen coins into ETH and other tokens through DEX platforms such as 1inch.exchange, ParaSwap, and Tokenlon.
- At 16:19 on April 19th, after detailed internal and external technical analysis and verification, the SlowMist security team released the world’s first article “DeFi Platform Lendf.Me Hacked Details Analysis and Defense Suggestions”, disclosing the technology of the hacking incident details, and provides corresponding defense recommendations:
The attacker’s withdraw() call occurs in the transferFrom function, that is, when Lendf.Me calls the user’s tokensToSend() hook function through transferFrom. Obviously, the attacker re-entered the Lendf.Me contract through the supply() function, causing a re-entrancy attack.
In response to this attack, the SlowMist security team recommends:
1. Add a lock mechanism to key business operation methods, such as: ReentrancyGuard of OpenZeppelin
2. When developing a contract, use the writing style of first changing the variables of this contract, and then making external calls
3. Before the project goes online, an excellent third-party security team is invited to conduct a comprehensive security audit to discover potential security issues as much as possible
4. When multiple contracts are connected, it is also necessary to check the code security and business security of multi-party contracts, and fully consider the security issues under the combination of various business scenarios
5. The contract should set the pause switch as much as possible, so that when a “black swan” event occurs, it can be detected in time and stop the loss
6. Security is dynamic, and each project party also needs to capture threat intelligence that may be related to its own project in a timely manner, and timely investigate potential security risks.
- On April 20, based on the traces left by the hackers before and after the attack, the “temporary security team” successfully identified an accurate portrait of the hacker, and began to conduct cross-comparison with various resources at home and abroad to obtain breakthrough clues.
- On the afternoon of April 21st, under heavy pressure, the hacker actively communicated with dForce and began to return some assets. After continuing to communicate, all assets were successfully recovered.
From April 19th to April 21st, the “temporary security team” experienced the most complex golden 48-hour period. The careful work deployment played a decisive role and finally got a beautiful result. Thousands of words, here is the dust, the SlowMist security team pays the highest respect to all members of the “temporary security team”, and expresses sincere thanks to all those who directly and indirectly helped this operation during this process. It is a far-reaching and successful action that has been recorded in the history of cryptocurrency, and everyone has created history together.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.
Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/
