More than $25 million have been stolen from smart contracts on Uniswap and Lendf.Me DeFi protocols through a reentrancy attacks. Uniswap’s attack occurred yesterday, whereas the attack on Lendf.Me was reported just today.

According to the April 19 announcement, it was reported yesterday that Uniswap’s smart contracts containing imBTC were drained. An attacker had used a vulnerability with Uniswap and ERC-777 to perform the reentrance attack. After observing the abnormality, the TokenIon team defined the incident as a P0-level security issue and established an emergency response team.

As part of measures to bring the situation under control, the TokenIon team suspended all transfers of imBTC tokens and notified its partners, including Lendf.Me to evaluate potential securities risk. After receiving the confirmation from Lendf.Me and other partners that everything is alright, the team resumed imBTC transfers.

Notwithstanding, the TokenIon team received a message from Lendf.Me today concerning another reentrance attack. This new attack, according to the team, was similar to the one that happened yesterday to Uniswap. The attack has resulted in a large number of abnormal borrowing on the platform. As part of bringing this new attack too under control, Lendf.Me website is now offline and smart contracts have been paused, for security investigations to be carried out.

The announcement further noted that the imBTC holders who have not yet deposited their tokens to the Lendf.Me platform are not affected. According to the team, the imBTC transfers will be resumed after TokenIon and its partners are confident that it is secure to do so.imBTC is an ethereum-based tokenized Bitcoin issued by TokenIon. The token is an ERC-777 compatible token anchored 1:1 to BTC. The TokenIon team claims the ERC-777 standard has no security vulnerabilities. However, they attributed the above mentioned reentrancy attacks to the combination of using ERC-777 tokens and Uniswap/Lendf.Me contracts.