• Home
  • Blockchain
  • Security Audits Fail to Identify Vulnerabilities Leading to $6.7M Raft Hack
Security Audits Fail to Identify Vulnerabilities Leading to $6.7M Raft Hack

Security Audits Fail to Identify Vulnerabilities Leading to $6.7M Raft Hack

Despite the DeFi protocol Raft falling victim to a security exploit last week, which resulted in a total loss of $6.7 million worth of funds, Raft, a decentralized finance platform behind the USD-pegged stablecoin R, reported a security exploit in its system despite undergoing multiple security audits. According to the post-mortem report released on Nov. 13, a hacker borrowed 6,000 Coinbase-wrapped staked Ether (cbETH) on Aave and exploited a smart contract glitch to mint 6.7 million R tokens.

Security Breach Unveiled

The report identified a precision calculation issue during the minting of share tokens as the primary root cause, enabling the attacker to obtain extra share tokens. This exploitation leveraged an amplified index value to inflate the value of the shares.

R Depegged, Despite Precautions

Following the exploit, the unauthorized funds were moved off the platform through liquidity pools on decentralized exchanges Balancer and Uniswap, resulting in proceeds of $3.6 million. Subsequently, the R stablecoin experienced a depegging after the attack. Raft’s dollar-pegged stablecoin, R, initially dropped by 50% from its $1 price post-exploit but later rebounded to around 70 cents, as per Coinmarketcap data.

The exploited smart contracts had undergone audits by blockchain security firms Trail of Bits and Hats Finance. Despite these efforts, the vulnerabilities leading to the incident were not detected during these audits, according to Raft.

Hacker Lost Money?

On-chain data revealed an intriguing aspect – after draining 1,577 ETH from Raft, the attacker sent 1,570 ETH to a burn address, effectively destroying most of the stolen assets and leaving only 7 ETH. The attacker’s crypto wallet received 18 ETH via Tornado Cash before the attack and was left with only 14 ETH after executing the transfers, indicating a 4 ETH loss.

The post-mortem report suggested that “The primary root cause was a precision calculation issue when minting share tokens, which enabled the exploiter to obtain extra share tokens. The attacker leveraged the amplified index value to increase the worth of their shares.”

Post-Incident Actions

Since the incident on Nov. 10, Raft has taken immediate steps, filing a police report and collaborating with centralized exchanges to trace the stolen funds. Currently, all of Raft’s smart contracts are suspended. However, users who minted R still have the ability to repay their positions and retrieve their collateral.

In the aftermath of this exploit, Raft faces the dual challenge of recovering from the financial loss and restoring trust within its user base.

Hot Take: Lessons Learned from Raft’s Security Breach

The recent security breach at Raft serves as a stark reminder that even after multiple security audits by reputable firms like Trail of Bits and Hats Finance vulnerabilities can still be present within DeFi protocols. This incident underscores how important it is for platforms like Raft to constantly assess their security measures and ensure they are up-to-date with any potential threats in order to regain trust within their user base.

Read Disclaimer
This content is aimed at sharing knowledge, it's not a direct proposal to transact, nor a prompt to engage in offers. Lolacoin.org doesn't provide expert advice regarding finance, tax, or legal matters. Caveat emptor applies when you utilize any products, services, or materials described in this post. In every interpretation of the law, either directly or by virtue of any negligence, neither our team nor the poster bears responsibility for any detriment or loss resulting. Dive into the details on Critical Disclaimers and Risk Disclosures.

Share it

Security Audits Fail to Identify Vulnerabilities Leading to $6.7M Raft Hack