The Raft DeFi platform lost about $3.3 million in Ethereum as a result of the hack. But the attack likely inflicted only losses on the attacker, according to analysts.
absolutely unhinged
1. hacker pulled 18 ETH from tornado cash
2. hacked a total of 1,577 ETH
3. burned 1,570 ETH and sent remaining 7 ETH to themselves
4. After fees, they’re left with 14 ETHSo total profit after fees is -4 ETH
mf might go to jail to LOSE 4 ETH
— 0xngmi (@0xngmi) November 10, 2023
Analyst under the handle 0xngmi noted that the hacker withdrew a total of 1577 ETH (~$3.3 million) from the protocol. However, 1570 ETH was sent to a burn address, and only 7 ETH to his own wallet.
For the attack, the attacker used 18 ETH funneled through the mixer Tornado Cash. But after all operations and fees, he was left with 14 ETH.
“A son of a bitch could go to jail for losing 4 ETH,” wrote the expert.
Raft provides the ability to issue the US-dollar-pegged stablecoin stablecoin R backed by derivatives of Ether such as Lido Finance.
Wintermute’s head of research Igor Igamberdiev disclosed the attack scheme. The attacker created two \”child\” contracts to mint 3,000 R using 2 cbETH. He then liquidated collateralized positions with 1,000 ETH obtained via instant loans.
1/6
Sad, but @raft_fi was exploited, and the attacker was able to mint 6.7 uncollateralized R stablecoin
The twist is that they converted them into ETH, which was sent to the null address, but first things first?https://t.co/q6U5fyRek9
— Igor Igamberdiev (@FrankResearcher) November 10, 2023
Liquidity manipulation boosted the hacker’s collateral to 3,900 ETH, which he used to mint 6.7 million uncollateralized R. He then sold the tokens for ETH through a mixer, Igamberdiev speculated.
According to the expert, the attacker did not account for the fact that when converting assets, the function would reference storage from the main contract, where the hacker’s address had not been initialized.
6/6
So, instead of sending ETH to the attacker, coins went to the null address, which has no private key, oopshttps://t.co/sjc3mtLlG3
— Igor Igamberdiev (@FrankResearcher) November 10, 2023
“Thus, instead of sending ETH to the attacker, the coins went to the null address, which has no private key, oops,” explained Igamberdiev.
Raft co-founder David Garai confirmed the hack and unauthorized withdrawal from the protocol. The team said it had launched an investigation and would provide the community with detailed information.
There\’s been an exploit situation for @raft_fi where the exploiter minted R (which was then sold to drain AMM liquidity), and also managed to withdraw collateral at the same time
We are investigating — post-mortem will follow soon
— DG (@davgarai) November 10, 2023
The platform paused the issuance of the stablecoin.
According to CoinMarketCap, after the attack the ‘stablecoin’ lost its peg to the dollar. At the time of writing the asset traded at around $0.08.
Earlier, losses at the previously hacked centralized cryptocurrency exchange Poloniex exceeds? no, exceeded $124.5 million.