DeFi or decentralized finance is a growing sector in the blockchain and cryptocurrency space that defines an ecosystem of decentralized applications providing financial services with no governing authority.
Lendf.me is a DeFi app utilizing smart contracts in order to provide instant, decentralized lending. The platform suffered an attack causing the loss of $25m in cryptocurrency on the day of April 19, 2020.
Thus, joining the list of other DeFi protocols exploited recently:
Synthetix hack — 37M sETH stolen
bZx hack — $900k stolen
Lendf.me’s current vulnerability is a unique instance of the reentrancy bug. Reentrancy is a well-known issue in the field of computing, referring to the ability of a subroutine to be interrupted in the middle of its execution and (then safely) be called again.
Other reentrancy bugs have been exploited in the past, causing massive damage, including:
The DAO hack — $150m stolen
Spank Chain hack — $30k stolen
The Lendf.me attack took place on the Ethereum main-net smart contract named MoneyMarket, which implements the core logic of the Lendf.me app.
Understanding the Lendf.me vulnerability
In order to best understand the underlying cause of the vulnerability, we should consider the contents of the various functions in the MoneyMarket contract.
First, we will consider the
MoneyMarket.supply()MoneyMarket.supply()MoneyMarket.supply()MoneyMarket.doTransferIn()The main purpose of the
MoneyMarket.supply()The main logic flow of the
MoneyMarket.supply()First, we read the balance variable that represents the user’s deposited asset balance in
MoneyMarketMoneyMarket.checkTransferIn()MoneyMarketLater
MoneyMarket.doTransferIn()transferFrom()MoneyMarketMoneyMarket.supply()Let’s go over the
MoneyMarket.withdraw()transfer()Can you spot the vulnerability by now?
The issue here is that
MoneyMarket.supply()asset.transferFrom()But why is Lendf.me’s vulnerability exploitable?
In order to understand this, we will have a look at the imBTC contract (or any other ERC-777 compliant contract)
imBTC._transferFrom()imBTC._callTokensToSend()The attacker took advantage of the fact that some of the assets implement ERC-777 standard, which means that the
imBTC._callTokensToSend()attackerContract.tokensToSend()This way, the attacker’s contract gets a chance to call
MoneyMarket.withdraw()MoneyMarket.supply()Attack Strategy
The only prerequisite for attempting the exploit is for an attacker to deploy an attacker contract that holds some amount of any asset that is ERC-777 compliant, let’s assume for example that the attacker holds 10 tokens of imBTC.
Now,
The attacker would place the first transaction that invokes
MoneyMarket.supplyimBTCAddressMoneyMarketMoneyMarket.supplyMoneyMarket.withdrawimBTCAddressrequestedAmountattackerContract.tokensToSend()By the end of this transaction, the attacker’s imBTC balance in the imBTC token contract is 9, but the imBTC supply in the
MoneyMarketMoneyMarket.supply()Therefore, the function doesn’t “know” at this point, that the attacker has already withdrawn some of his supply.Now, the attacker holds a deposit on the
MoneyMarketThe attacker can use this to (falsely) borrow or withdraw assets deposited by other users. Furthermore, these two steps could be potentially performed, again and again, thus draining
MoneyMarketMitigation
When writing the smart contract code, try not to update any storage variables after an external call.If not possible, deploy some locking mechanism, like the commonly known
ReentrancyGuardMoneyMarket.supply()MoneyMarket.withdraw()(Written by David Oz Kashi on Behalf of Valid Network)