There is no doubt that Decentralized Finance (DeFi) has been central to the Ethereum ecosystem for the past year. But unfortunately, this use for the second largest blockchain by the market capitalization of its underlying crypto does not come without its own set of flaws.
Reports indicate that on April 18, a leading protocol was hacked by a large sum of Ether and an Ethereum-based tokenized version of Bitcoin.
According to blockchain developer and DeFi specialist Julien Bouteloup, an attacker managed to drain a group based on Uniswap (a marketplace), and earned over $ 300,000 in ETH and an Ethereum-based tokenized version of Bitcoin, imBTC, in the process:
“ImBTC's TokenIon group in Uniswap has been attacked and drained. The simple attack vector at Uniswap allowed them to steal more than $ 300,000 in ETH + BTC ”they wrote.
The vulnerability was described 16mths ago: https://t.co/a3AiJyY969 https://t.co/MKC2jNP1Y4 pic.twitter.com/cXOVu6le3P
– Julien Bouteloup (@bneiluj) April 18, 2020
Although an autopsy on the event has yet to be released, Bouteloup claimed that the exploit that allowed the user to get rid of such a large sum of cryptocurrencies was explained in an audit of the Ethereum-based Uniswap protocol 16 months ago.
According a GitHub post revealing the audit detailsThe exploit involves an attacker creating a "fake exchange" that resembles the original exchange.
From there, the attacker can manipulate Uniswap so that the price of an asset is very cheap in the original group, allowing it to wake up with coins at a price much lower than its real market value.
In this case, the stolen currency was a tokenized Bitcoin, imBTC.
This is not the first time it happens in a DeFi app
This is far from the first time that a user has made huge profits by taking advantage of bugs in Ethereum-based DeFi protocols in recent months.
In February, the bZx protocol suffered two attacks just a few days apart. The two attacks were not exactly the same, but the essence of both is as follows:
- One user took out a “flash loan” of a large sum of bZx ETH. A flash loan is where a user borrows and repays the capital borrowed in the same transaction.
- The ETH was used to buy another Ethereum based asset.
- The user implemented the manipulation to change the way other protocols view the price of such an Ethereum-based asset, allowing profit to be made due to price oracles registering false values.
The attacks saw bZx users lose $ 300,000 and around $ 650,000, totaling nearly $ 1 million.