Raft halts stablecoin minting following security breach

The defi platform Raft has temporarily suspended the minting of its R stablecoin due to a security vulnerability that resulted in a substantial loss. 

The company is currently investigating the incident and has promised to keep its users updated. Existing users, however, can continue with loan repayments and collateral retrieval.

We are aware of a potential security vulnerability. We are currently investigating and will provide an update as soon as we can.

— Raft (@raft_fi)

Raft co-founder David Garai confirmed the attack on their platform, which saw the assailant minting R tokens and draining automated market maker liquidity while withdrawing collateral from Raft concurrently.

There’s been an exploit situation for where the exploiter minted R (which was then sold to drain AMM liquidity), and also managed to withdraw collateral at the same timeWe are investigating – post-mortem will follow soon

— DG (@davgarai)

The defi lending platform issues the R stablecoin collateralized by liquid staking ETH derivatives. According to Garai, the company is now focused on securing its users’ operations and restoring stability to its platform.

The disruption caused the R stablecoin to significantly drop its price from $1 to $0.18. Per CoinGecko, at the time of writing, the cryptocurrency was trading at $0.057965, which is 92.3% below its previous level.

Raft halts stablecoin minting following security breach

According to on-chain analysts, a hacker allegedly exploited the system, resulting in the burning of a significant amount of ether (ETH). 

However, a twist of fate saw the hacker presumably suffering a setback due to a coding error. The ether, instead of directing to the hacker’s address, was sent to a null address, making them irretrievable.

The on-chain data shows the hacker drained 1,577 ETH from Raft and then sent 1,570 ETH to a burn address. 

The exploiter’s crypto wallet was left with just 7 ETH, a net loss compared to a reported 18 ETH initially funded via the sanctioned crypto mixer service, Tornado Cash.

absolutely unhinged1. hacker pulled 18 ETH from tornado cash2. hacked a total of 1,577 ETH3. burned 1,570 ETH and sent remaining 7 ETH to themselves4. After fees, they’re left with 14 ETHSo total profit after fees is -4 ETHmf might go to jail to LOSE 4 ETH— 0xngmi (@0xngmi)

Igor Igamberdiev, the Head of Research at Wintermute, noted that the hacker minted 6.7 uncollateralized R stablecoin and converted it into ether. 

1/6Sad, but was exploited, and the attacker was able to mint 6.7 uncollateralized R stablecoinThe twist is that they converted them into ETH, which was sent to the null address, but first things first👇— Igor Igamberdiev (@FrankResearcher)

However, due to the coding error, the ether ended up in the null address.

Read More

2023-11-12 17:10