Hacker Exploits Raft Finance & Stole 1577 ETH Just To Burn It!

In a latest exploit, DeFi protocol Raft has lost approximately $3.3 million in ETH by the hacker abusing its R stablecoin. 

Raft shared a post confirming the vulnerability and paused the minting of R stablecoin. 

Update: Further minting of R has been paused.Existing users are still able to repay their positions and receive their collateral.

— Raft (@raft_fi) November 10, 2023

In order to execute the exploit, the hacker created a set of inter-connected contracts and used just 2 cbETH initially and minted 3000 R. Then the hacker took a 1000 ETH flashloan to exploit the inflation index logic. 

However, unlike other exploits where stolen funds are sent to crypto mixers, this time it seems something unusual. While receiving 1577 ETH through exploiting Raft, the hacker pulled 18 ETH from the crypto mixer Tornado Cash. The hacker surprisingly burned 1570 ETH in a subsequent transaction and now only left with 14 ETH.

Hacker has apparently taken a loss of 4 ETH if additionally ETH sent via Tornado Cash is subtracted. 

Igor Igamberdiev, the Head of Research at Wintermute, said that the code for converting R to ETH was called from a separate contract which also had a parent contract with no receiver contract detail. “So, instead of sending ETH to the attacker, coins went to the null address, which has no private key,” Igor said. 

1/6Sad, but @raft_fi was exploited, and the attacker was able to mint 6.7 uncollateralized R stablecoinThe twist is that they converted them into ETH, which was sent to the null address, but first things first👇— Igor Igamberdiev (@FrankResearcher) November 10, 2023

Read More

2023-11-11 09:58