Uniswap Hack
Incident Overview
Hackers deployed two reentrancy attacks, made possible by a known vulnerability found in the ERC777-token of Uniswap, to steal $300,000 and $1.1 million in imBTC tokens. Tokenlon, the company behind the imBTC token that runs on the Uniswap platform, provides a timeline of the events:
“8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to perform a reentrancy attack.
12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue, and established an emergency response team.
12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.
17:00 on April 18th. imBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.
09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.
10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.”
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Uniswap, these are the critical security checks that could have prevented this incident (April 2020).
- Verify all logic paths related to Other are guarded by proper access controls and input validation
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialSources & References
Learn to Prevent the Next Uniswap
The Uniswap hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.