Profile picture
, 11 tweets, 6 min read
My Authors
Read all threads
🚨🚨🚨 @LendfMe, a DeFi lending protocol, was just drained from $25M to less than $10K in one instant.

A simple explainer of what happened, as I understand it:

1/x Image
Let's look at the transaction level first.

It seems like an attacker was able to supply imBTC to @LendfMe...then withdraw more than he deposited.

What was happening?

2/x Image
To understand this, let's remind ourselves what a re-entrancy attack is.

When a process is interrupted in the middle, initiated again, then both the original and "re-entered" processes execute, a re-entrancy attack has occurred.

pic source: @hackernoon

3/x Image
This exploit was used in the $150M DAO hack:

In simplistic terms, during the hack, you:

- Submit a legitimate withdrawal
- Before the contract could update your balance...
- ...recursively withdrew more than you are entitled to

hackingdistributed.com/2016/06/18/ana…

4/x
Today, a similar exploit happened on @LendfMe.

Hacker deposited imBTC as collateral, then initiated a re-entrancy attack, withdrawing much more collateral than he deposited ($25M) initially.

But how was this possible?

5/x
imBTC uses a token standard called ERC777.

It’s like a more flexible version of ERC20. One of its features, “hook”, streamlines transactions, but also makes re-entrancy attacks easier.

@Consensys did a code audit that explains how this works:

github.com/ConsenSys/Unis…

6/x Image
This is not new info - the @UniswapProtocol team was aware of this since a year ago from the above code audit.

This is a testament to the fact that code audits are not just security theater. They are a worthwhile investment!



7/x
So there you have it - a preventable re-entrancy attack performed on a relatively new token standard was what enabled the imBTC pool to be drained on @LendfMe today.

Chinese readers, a more detailed walkthrough from @SlowMist_Team:

matataki.io/p/3460?c=83748…

8/x
Before we toss the baby out with the bathwater, vulnerabilities like this can be patched, and ERC777 presents some exciting UX improvements for crypto.



9/x
Some have asked - if @UniswapProtocol was aware of this, how was $300K still drained from their imBTC pool ytd?

afaik Uniswap v1 is made for ERC20. ERC777 promises backwards compatibility. The imBTC pool was supplied by users, not Uniswap.

defirate.com/imbtc-uniswap-…

10/x
h/t @Rewkang @tzhen for spotting/sharing this earlier today
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Jason Choi 蔡浩霆

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @mrjasonchoi see all

Profile picture
Jason Choi
@mrjasonchoi
0/ A lot of people have been asking about @synthetix_io $SNX price performance lately.

Some thoughts on its token demand + supply imbalance:
1/ @synthetix_io first caught my eye when it started climbing the ranks (quickly) on @defipulse in $ value locked up.

More than 80% of $SNX holders stake their tokens to mint synthetic assets, mostly synthetic USD and ETH. That’s a pretty impressive % of actual token usage.
2/ How it works: users mint synthetic assets against a pool of SNX collateral, and trade by converting it to other synthetic assets.

eg If 50% of pool is used to back sBTC and the other 50% sUSD, BTC price increases, sBTC holders’ gains are socialized between sUSD minters.
Read 13 tweets
Profile picture
Jason Choi
@mrjasonchoi
0/ We need better ways of discussing value accrual in cryptoassets.

Some thoughts after a recent convo with @SpartanBlack_1
1/ Skeptical investors love to point out cryptoassets that failed to attain a monetary premium (like $BTC) have no "intrinsic value", and are succumb to the velocity problem, and are hence worthless.

Yet the market clearly disagrees.
2/ Today, even in a choppy market where volatility is half of what it was in 2017-2018's speculative highs, there are 30+ cryptoassets with fully diluted network values of $500M+, many of which are supported by 6 - 9 figure daily *real* trading volumes.
Read 21 tweets
Profile picture
Jason Choi
@mrjasonchoi
👉🏻 Some assume crypto has a better shot at eating retail payments in Asia because the market is so saturated in the US.

My $0.02 about why this is a lazy thesis. Happy to be proven wrong!

1/x
First, the Holy Grail - China.

China’s retail payments scene is dominated by Alipay and Wechat, which processed $37T last year alone (!!!)

A whopping 85% of purchases was on mobile...of which A and W have 90%+ share. Features like facial recognition further improve UX. 2/x
Both are licensed by the PBoC, and should a non-government issued, uncensorable stablecoin present a serious threat, on-ramps and merchant adoption can be banned.

With PBoC creating its own digital currency, I don’t see crypto as day-to-day payments taking off at all 3/x
Read 11 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!