$25M Drained in Reentrancy Attacks on Uniswap and Lendf.me as DeFi Security Under Fire

The decentralized finance ecosystem suffered a devastating blow over the weekend of April 18-19, 2020, as attackers exploited a known vulnerability to drain more than $25 million in cryptocurrency from two prominent DeFi platforms — Uniswap and Lendf.me. The incidents, believed to be carried out by a single group or individual, have reignited urgent conversations about the security of decentralized protocols and the digital assets that rely on them.

TL;DR

• Reentrancy attacks on Uniswap and Lendf.me drained over $25 million combined
• Lendf.me lost 99.95% of its total funds, while Uniswap lost between $300,000 and $1.1 million in imBTC tokens
• The vulnerability in the ERC-777 token standard had been publicly documented since July 2019
• Both platforms were taken offline immediately after the attacks were discovered
• The incident raises critical questions about security audits and rapid response in DeFi

How the Attacks Unfolded

The first strike hit Uniswap, a fully decentralized peer-to-peer cryptocurrency exchange built on Ethereum. At 8:58 AM Singapore Time on April 18, an attacker leveraged a reentrancy vulnerability in the ERC-777 token standard to execute repeated withdrawals from the ETH-imBTC liquidity pool. The attacker made off with imBTC tokens — a tokenized version of Bitcoin on the Ethereum network operated by Tokenlon — worth between $300,000 and $1.1 million.

By 12:12 PM, Tokenlon had identified the anomaly, classified it as a P0-level security incident, and assembled an emergency response team. The company suspended imBTC transfers at 12:49 PM and notified all partners, including Lendf.me, to assess potential security risks. However, after receiving confirmations from partners that it was safe to proceed, imBTC transfers were resumed at 5:00 PM that same day.

The decision proved costly. At 9:28 AM on April 19, Tokenlon received word from Lendf.me that a similar reentrancy attack had been executed on their platform, this time resulting in the theft of more than $24 million — draining 99.95% of the lending platform’s total funds. imBTC transfers were suspended again at 10:12 AM.

The Technical Vulnerability

The root cause of both attacks was a reentrancy vulnerability that arises when ERC-777 tokens interact with certain DeFi smart contracts. The ERC-777 standard itself is not inherently flawed, but its combination with the specific contract architectures used by Uniswap and Lendf.me created an exploitable window. The vulnerability allowed attackers to repeatedly withdraw funds before the initial transaction could be validated and recorded.

What makes this particularly troubling is that the vulnerability had been publicly documented by OpenZeppelin since July 2019 — nearly ten months before the attacks. The exploit code and explanation were available in a public GitHub repository, yet neither platform had implemented sufficient protections against this known attack vector.

Immediate Aftermath

In the wake of the attacks, both Uniswap and Lendf.me were taken offline to prevent further exploitation. Tokenlon announced that imBTC transfers would remain suspended until all parties were confident the system was secure. Users were advised to monitor official channels for updates.

The attacks sent ripples through the broader DeFi community, which was still in its nascent stages in April 2020. With Bitcoin trading at approximately $6,880 and Ethereum at $172.74 according to CoinMarketCap data, the total crypto market capitalization hovered around $201 billion. The $25 million loss, while modest by later DeFi hack standards, represented a significant percentage of the total value locked in DeFi protocols at the time.

Broader Implications for Digital Assets

The Uniswap and Lendf.me hacks highlighted a fundamental tension in the emerging world of tokenized digital assets and decentralized platforms. On one hand, the ERC-777 standard was designed to improve upon ERC-20 by adding hooks for more complex token interactions. On the other hand, these same hooks created attack surfaces that could be exploited when tokens were used in ways their designers had not fully anticipated.

For the digital collectibles and tokenized asset space, the incident served as a cautionary tale. If established DeFi protocols with significant financial backing could fall victim to publicly known vulnerabilities, smaller projects building on similar standards needed to take security audits far more seriously. The attacks also demonstrated that the composability that makes DeFi powerful — the ability for any protocol to interact with any token — also creates interconnected risk that can cascade across platforms.

Why This Matters

The April 2020 reentrancy attacks were among the first major DeFi security incidents to gain widespread attention, coming at a time when the sector was just beginning to attract institutional interest. They established a pattern that would repeat throughout 2020 and beyond: publicly known vulnerabilities being exploited on platforms that failed to implement timely fixes. The incident accelerated the development of formal verification tools, security auditing standards, and insurance protocols that would become essential infrastructure for the DeFi ecosystem. For anyone involved in digital assets — whether as a trader, developer, or collector — the lesson was clear: in a decentralized world, security is not optional, and transparency about vulnerabilities is only useful if teams act on them.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.