DeFi Lender Raft Halts Stablecoin Minting After Losing Over 1500 ETH in Security Breach

The decentralized finance (DeFi) lending platform Raft has temporarily suspended minting of its R stablecoin following a security breach, resulting in over 1500 ETH drained from the protocol. 

We are aware of a potential security vulnerability. We are currently investigating and will provide an update as soon as we can.

— Raft (@raft_fi) November 10, 2023

Raft co-founder David Garai confirmed the security breach, which involved the intruder generating R tokens and depleting automated market maker liquidity while simultaneously withdrawing collateral from Raft.

According to CoinGecko data, the breach caused the price of R stablecoin to drop from $1 to $0.04 at the time of writing.

DeFi Lender Raft Halts Stablecoin Minting After Losing Over 1500 ETH in Security Breach

R stablecoin price chart | Source: CoinGecko

Moreover, Garai said Raft is focused on securing user operations and restoring stability as it investigates the full extent of the incident. However, existing R holders can still repay loans and retrieve collateral while minting is suspended.

Interestingly, an on-chain data analyst traced the hack to a coding flaw that mistakenly sent the 1570 ETH drained by the hacker to an irretrievable null address instead of the hacker’s wallet. 

In total, the attacker was able to drain 1577 ETH from Raft but only withdrew 7 ETH due to the error. The hacker reportedly funded the attack with just 18 ETH obtained through the controversial crypto mixer Tornado Cash. 

absolutely unhinged1. hacker pulled 18 ETH from tornado cash2. hacked a total of 1,577 ETH3. burned 1,570 ETH and sent remaining 7 ETH to themselves4. After fees, they’re left with 14 ETHSo total profit after fees is -4 ETHmf might go to jail to LOSE 4 ETH— 0xngmi (@0xngmi) November 10, 2023

According to Gor Igamberdiev, Head of Research at Wintermute, the hacker minted 6.7 million unbacked R tokens valued at $6.7 million and swiftly exchanged them for ETH. However, due to the critical code flaw, the ETH ended up locked in the null address. 

While Raft continues its investigation, the team has promised to keep users updated on efforts to restore stability and compensate for any losses from the protocol’s treasury reserves. 

For now, existing R holders are still able to utilize Raft’s lending and borrowing functions despite the minting suspension.

Read More

2023-11-12 18:29