DeFi platform Raft lost about $3.3 million in Ethereum as a result of a hack. But the attack likely brought only losses to the attacker, experts found.
See more
absolutely unhinged
1. hacker pulled 18 ETH from tornado cash
2. hacked a total of 1,577 ETH
3. burned 1,570 ETH and sent remaining 7 ETH to themselves
4. After fees, they’re left with 14 ETHSo total profit after fees is -4 ETH
mf might go to jail to LOSE 4 ETH
— 0xngmi (@0xngmi) November 10, 2023
An analyst under the nickname 0xngmi noted that the hacker withdrew a total of 1577 ETH (~$3.3 million) from the protocol. However, he sent 1570 ETH to the burn address, and only 7 ETH to his wallet.
For the attack, the attacker used 18 ETH, transferred through the Tornado Cash mixer. But after all the transactions and paying commissions, he was left with 14 ETH.
“The son of a bitch could go to jail for losing 4 ETH,” the expert wrote.
Raft provides the ability to issue the US dollar-pegged stablecoin R backed by liquid ether derivatives like stETH from Lido Finance.
The head of research at Wintermute, Igor Igambergiev, revealed the attack scheme. The attacker created two “child” contracts to issue 3000 R using 2 cbETH. He then liquidated the collateralized positions with 1,000 ETH received through flash loans.
See more
1/6
Sad, but @raft_fi was exploited, and the attacker was able to mint 6.7 uncollateralized R stablecoin
The twist is that they converted them into ETH, which was sent to the null address, but first things first👇https://t.co/q6U5fyRek9
— Igor Igamberdiev (@FrankResearcher) November 10, 2023
Liquidity manipulation increased the hacker’s collateral to 3,900 ETH, which he used to mint 6.7 million unsecured R. He then sold the tokens for ether for sale through some kind of mixer, Igambergiev suggested.
According to the expert, the attacker did not take into account that when converting assets, the function would access the storage from the main contract, in which the hacker’s address was not initialized.
See more
6/6
So, instead of sending ETH to the attacker, coins went to the null address, which has no private key, oopshttps://t.co/sjc3mtLlG3
— Igor Igamberdiev (@FrankResearcher) November 10, 2023
“So, instead of sending ETH to the attacker, the coins went to a zero address that does not have a private key, oops,” Igamberdiev explained.
Raft co-founder David Garay confirmed the hack and unauthorized withdrawal of funds from the protocol. The team has launched an investigation into the incident and promised to provide the community with detailed information.
See more
There’s been an exploit situation for @raft_fi where the exploiter minted R (which was then sold to drain AMM liquidity), and also managed to withdraw collateral at the same time
We are investigating — post-mortem will follow soon
— DG (@davgarai) November 10, 2023
Platform suspended stablecoin emission.
According to CoinMarketCap, after the attack, the “stable coin” lost its peg to the dollar. At the time of writing, the asset is trading at around $0.08.
Let us remind you that the losses of the centralized crypto exchange Poloniex, hacked the day before, exceeded $124.5 million.
Subscribe to ForkLog on social networks
Found an error in the text? Select it and press CTRL+ENTER
ForkLog newsletters: keep your finger on the pulse of the Bitcoin industry!
2023-11-11 13:46:08
#hacker #previously #hacked #DeFi #project #Raft #ForkLog