About $25 million in cryptocurrency was stolen from Uniswap and Lendf.Me over the weekend by hackers who exploited a technology underlying the Ethereum blockchain.

Of the two, Lendf.Me, a decentralized lending platform with instant borrowing and withdrawal capabilities, was hit hardest, with 99.95% of funds or $24.5 million stolen. Lendf.Me itself is supported by the dForce Foundation, a provider of an integrated and interoperable platform of open finance protocols that runs on the DeFi stack.

That relationship is where the path of the attack becomes confusing, with some reports suggesting it was dForce itself that was hacked. That it was Lendf.me specifically targeted came via a statement made to Chinese blockchain site Chain News. To complicate matters further, the attack involved the theft of imBTC an ERC-20 token that was designed by the dForce Foundation but is now run by a separate company called Tokenlon.

The second company targeted, Uniswap, though not supported by the dForce Foundation, was also using the Lendf.me protocol built on top of DeFi as well as imBTC. Uniswap is believed to have lost between $300,000 and $1.1 million in imBTC tokens.

According to Tokenlon, the first attack targeted Uniswap at 8 p.m. EDT Friday using an exploit that targeted ERC777, an underlying technology on the Ethereum blockchain to perform a “reentrancy” attack. That attack exploits a function that makes an external call to another untrusted contract before it resolves any effects, allowing an attacker to take over control flow of the smart contract.

In an initial response Tokenlon suspended the transfer of imBTC while informing users to evaluate potential security risks. Transfers resumed 5 a.m. EDT Saturday (5 p.m. Singapore, where the company is based) after receiving a confirmation from partners that they were fine to do so.

Forward to 9:28 p.m. EDT Saturday (9:28 a.m. in Singapore Sunday) and Tokenlon received a message from Lendf.me advising that they had also been targeted in a redundancy attack. imBTC was then suspended 46 minutes later.

“The ERC-777 token standard has — to our knowledge — no security vulnerabilities,” Tokenlon said. “However, the combination of using ERC777 tokens and Uniswap/Lendf.Me contracts enables the.. reentrancy attacks.”

Both Uniswap and Lendf.Me remain offline at the time of writing as an investigation has been launched as to who may have been behind the attack.

Image: Lendf.me