Raft DeFi Platform Recovers After $3.3M Exploit and Stablecoin Depegging
In a startling turn of events, Raft, a prominent decentralised finance (DeFi) platform, recently faced a security breach that led to a $3.3 million exploit, resulting in the depegging of its stablecoin, R. This incident sent shockwaves through the crypto community, highlighting the vulnerability of DeFi platforms. However, as we delve deeper into the details, it becomes clear that the hacker behind the attack might have incurred substantial losses, offering a glimmer of hope for Raft and its users.
Important Update
The Raft protocol recently experienced a complex security incident that resulted in the minting of ~$6.7M unbacked R.
absolutely unhinged 1. hacker pulled 18 ETH from tornado cash 2. hacked a total of 1,577 ETH 3. burned 1,570 ETH and sent remaining 7 ETH to themselves 4. After fees, they're left with 14 ETH
On the fateful day, Raft suffered a significant breach, with the attacker managing to drain 1,577 ETH from the platform. The stolen assets, however, did not end up in the attacker’s hands. Instead, a coding error led to these funds being sent to a null address, rendering them inaccessible. This unusual twist meant that the attacker only walked away with a meagre 7 ETH, ultimately facing a net loss of 4 ETH on the entire operation.
Raft’s native stablecoin, R, bore the brunt of the exploit, as it quickly lost its dollar peg, plummeting by as much as 50%. The coin, typically valued at $1, was trading at a mere $0.18 at its lowest point before eventually stabilising around $0.70.
The Hacker’s Unconventional Actions
In a departure from the typical modus operandi of crypto hackers, the individual responsible for this exploit exhibited unusual behaviour. Instead of attempting to obscure the stolen funds using crypto mixers, the hacker unexpectedly moved by burning 1,570 ETH in a subsequent transaction. This move left them with a mere 14 ETH, reflecting the hacker’s surprising willingness to incur losses.
1/6
Sad, but @raft_fi was exploited, and the attacker was able to mint 6.7 uncollateralized R stablecoin
The twist is that they converted them into ETH, which was sent to the null address, but first things first👇https://t.co/q6U5fyRek9
Igor Igamberdiev, Wintermute’s Head of Research, shed light on the exploit’s technical details. The attacker utilised interconnected contracts and initially minted 3,000 R tokens using only two cbETH. Subsequently, a 1,000 ETH flash loan was taken to manipulate the inflation index logic. However, the critical error occurred when the code for converting R to ETH was called from a separate contract with a parent contract that lacked receiver contract details. This misstep resulted in the diverted ETH being sent to a null address, effectively nullifying the attacker’s gains.
Raft’s Response and Recovery
Update: Further minting of R has been paused.
Existing users are still able to repay their positions and receive their collateral. https://t.co/0cE6MhfNos
Raft’s co-founder, David Garai, acknowledged the attack and assured users that efforts were underway to mitigate the damage. The protocol-owned sDAI in the Peg Stability Module is being leveraged to restore affected users’ funds. While this incident highlights the vulnerabilities within the DeFi space, it also underscores the resilience of platforms like Raft in responding to such challenges.
Conclusion
The Raft exploit is a stark reminder of the ever-present risks in the world of DeFi. While the initial shockwave of the attack led to the depegging of the R stablecoin, the hacker’s unexpected losses offer a silver lining. This incident emphasises the importance of robust security measures within the DeFi sector and showcases the determination of platforms like Raft to safeguard their users’ interests. As the crypto community watches closely, the industry’s response to such events will undoubtedly shape the future of decentralised finance.
