Earlier today, we saw the exploitation of a liquidity pool on Uniswap for imBTC – a wrapped version of Bitcoin created by imToken and the Tokelon DEX.

Today, the imBTC pool on Uniswap has been attacked & drained. The hacker utilized an attack vector on ERC777 tokens on Uniswap. The BTC in custody is not impacted. We have paused imBTC transfers for now, are evaluating the situation & will notify when transfers are restored — Tokenlon DEX (@tokenlon) April 18, 2020

The exploit allowed the attacker to drain roughly $300k worth of value due to a reentrancy attack which allowed funds to be drained in a similar fashion to what happened with The DAO back in 2016.

Here’s what you need to know:

The reentrancy attack was possible due to imBTC using the ERC777 standard

Uniswap v1 does not protect against reentrancy attacks for pools using the ERC777 standard

Trading on imBTC was halted immediately following the attack

The BTC backing imBTC tokens were not affected

Tokelon will release a post mortem in the following days.

What Happened?

Without going too deep into the weeds, the attacker was able to call the Uniswap smart contract to withdraw funds before the external balance could be updated, effectively creating a cycle in which all the tokens in the contract could be purchased for pennies.

imBTC @tokenlon pool on @Uniswap has been attacked & drained🔥 Simple attack vector on ERC777 (with arbitrary code execution during transfer fct) on Uniswap to steal >$300k (#ETH+#BTC) The vulnerability was described 16mths ago: https://t.co/a3AiJyY969 https://t.co/MKC2jNP1Y4 pic.twitter.com/cXOVu6le3P — Julien Bouteloup (@bneiluj) April 18, 2020

As we mentioned above, this was largely due to the ERC777 token standard – namely because of “hooks” or payable functions that allow contracts to execute code when they receive tokens (instead of only ETH with the ERC20 token standard).

(10/12) These hooks in ERC777 open up the issue of reentrancy attacks. This isn't a new attack vector, reentrancy caused the famous DAO hack. What's new is this attack is possible with tokens. Developers assume ETH transfers are vulnerable, but token transfers are safe. pic.twitter.com/Vt73Irj1f3 — David Mihal 🔥 (@dmihal) April 18, 2020

This issue was described in depth on Conensys’s audit of Uniswap, which can be read in detail here. For your convenience here’s a look at what happened using the example from the audit.

“If token allows making reentrancy on transferFrom(address from, address to, uint tokens) function by someone except the recipient, then all the liquidity funds might be stolen. For example, if token calls callback function of from address. It’s irrelevant if reentrancy is done before or after the balances update.”

Why Should I Care?

This attack brought to light a number of discussions regarding the ERC777 standard and Uniswap itself. For starters, Uniswap has expressed that they do not support ERC777 but their UI fails to mention this – leaving this knowledge on the shoulder’s of the liquidity pool creator.

Uniswap V1 never supported ERC-777, has been discussed publicly a few timeshttps://t.co/EbbKygvcqZ V2 works with 777 but yeah this is quite unfortunate :/ — Hayden Adams 🦄 (@haydenzadams) April 18, 2020

While supported in Uniswap V2, this type of attack was destined to happen to someone, and it seems that the imBTC pool was the prime choice for the attacker. Most recently, we say imBTC supported as a part of the BTC++ Pie from PieDAO. This attack lead to BTC++ trading being halted within the pool as well.

This morning imBTC's Uniswap V1 pool was compromised as you probably know. At @PieDAO_DeFi we were woken up and took immediate action. The safeguards our team put in place highlight why $BTC++ and other PIEs are an ideal product for #DeFi…https://t.co/NjtIB9Kg1B — Dan Matthews | PieDAO (@LSDan_DeFi) April 18, 2020

The wider narrative here is that while this attack was unfortunate for imBTC, many are pleading that ERC777 as a standard should not be dismissed because of one exploit. The ability for contracts to execute code when interacting with tokens has a number of benefits including transaction efficiency and the prevention of users sending funds to a contract address and having them lost forever. Here’s a great thread describing this thought.

(1/10) The imBTC/Uniswap hack took advantage of the ERC777 standard, now I'm seeing many people saying that ERC777 is inherently bad or unsafe. ERC20 is safer than ERC777 in the same way that Bitcoin is safer than Ethereum. It's safe because it's limited. Here's some thoughts: — David Mihal 🔥 (@dmihal) April 18, 2020

In summary, this attack goes to show that token issuers need to stay on their toes when accessing the endless financial primatives being discovered on Ethereum. If anything, this attack will further battle harden DeFi, and we’re excited to cover the rest of this story as it unfolds in the coming week.

To stay up on all new updates regarding the situation, we recommend following the imToken project here.