Despite the DeFi protocol Raft falling victim to a security exploit last week, which resulted in a total loss of $6.7 million worth of funds, Raft, a decentralized finance platform behind the USD-pegged stablecoin R, reported a security exploit in its system despite undergoing multiple security audits. According to the post-mortem report released on Nov. 13, a hacker borrowed 6,000 Coinbase-wrapped staked Ether (cbETH) on Aave and exploited a smart contract glitch to mint 6.7 million R tokens.
Security Breach Unveiled
The report identified a precision calculation issue during the minting of share tokens as the primary root cause, enabling the attacker to obtain extra share tokens. This exploitation leveraged an amplified index value to inflate the value of the shares.
R Depegged, Despite Precautions
Following the exploit, the unauthorized funds were moved off the platform through liquidity pools on decentralized exchanges Balancer and Uniswap, resulting in proceeds of $3.6 million. Subsequently, the R stablecoin experienced a depegging after the attack. Raft’s dollar-pegged stablecoin, R, initially dropped by 50% from its $1 price post-exploit but later rebounded to around 70 cents, as per Coinmarketcap data.
The exploited smart contracts had undergone audits by blockchain security firms Trail of Bits and Hats Finance. Despite these efforts, the vulnerabilities leading to the incident were not detected during these audits, according to Raft.
Hacker Lost Money?
On-chain data revealed an intriguing aspect – after draining 1,577 ETH from Raft, the attacker sent 1,570 ETH to a burn address, effectively destroying most of the stolen assets and leaving only 7 ETH. The attacker’s crypto wallet received 18 ETH via Tornado Cash before the attack and was left with only 14 ETH after executing the transfers, indicating a 4 ETH loss.
The post-mortem report suggested that “The primary root cause was a precision calculation issue when minting share tokens, which enabled the exploiter to obtain extra share tokens. The attacker leveraged the amplified index value to increase the worth of their shares.”
Post-Incident Actions
Since the incident on Nov. 10, Raft has taken immediate steps, filing a police report and collaborating with centralized exchanges to trace the stolen funds. Currently, all of Raft’s smart contracts are suspended. However, users who minted R still have the ability to repay their positions and retrieve their collateral.
In the aftermath of this exploit, Raft faces the dual challenge of recovering from the financial loss and restoring trust within its user base.
Hot Take: Lessons Learned from Raft’s Security Breach
The recent security breach at Raft serves as a stark reminder that even after multiple security audits by reputable firms like Trail of Bits and Hats Finance vulnerabilities can still be present within DeFi protocols. This incident underscores how important it is for platforms like Raft to constantly assess their security measures and ensure they are up-to-date with any potential threats in order to regain trust within their user base.