The latest loss recorded by the lending protocol Lendf.me amounted to $25 million worth of Bitcoin (BTC) and Ethereum (ETH).
Lendf, one of the two protocols supported by dForce Foundation, saw the assets exiting from its accounts after a coordinated hack late Saturday and early Sunday.
The lending protocol said:
“Lendf.me confirmed it was attacked at 8:45 Beijing time Sunday at block height 9899681.”
Attack initiated by imBTC
Other DeFi protocol builders speculated that the attack was initiated by imBTC, an Ethereum (ETH) token paired one-to-one with Bitcoin (BTC), allowing the attacker space to siphon funds without pain.
What is not obvious now is whether users could withdraw their funds or that the attacker has taken over all the $25 million that represent more than 99 percent of their savings.
However, Robert Leshner, CEO of Compound, said the attacker took over all funds.
“If a project doesn’t have the expertise to develop its own smart contracts, and instead steals and redeploys somebody else’s copyrighted code, it’s a sign that they don’t have the capacity or intention to consider security. Hope developers & users learn from the Lend.me hack.”
“This is a follow-up attack to the imBTC Uniswap attack yesterday”, Leshner said, noting that imBTC is not a normal ETH asset.
“Smart contracts that include imBTC have to be extra cautious, and write additional code to protect against ‘re-entrancy attacks.”
In March, Cryptolydian reported that IOTA’s Trinity Wallet software was vulnerable as hackers managed to access its private keys. However, the hack was attributed to MoonPay which allows its users to purchase Iota directly.
The foundation urged users to use the migration tool to transfer their codes into secure accounts.