More than 50% of European families have some investment in digital currency. The average European family sees crypto as a viable investment and savings option. This was discovered in several recent surveys conducted over different demographic areas. Despite the volatility of the crypto space, as recent events highlight, it has seen a continuous rise in new investors. More people are committing to crypto investments and many of them are taking steps to buy into the growing market. The flurry…
In the latest hours of May 8th, DeFi lending protocol Fortress Network got hit with a manipulation attack that drained most of its funds.
According to the protocol’s release, the stolen assets included 1,048.1 in Ethereum and 400,000 in stablecoin DAI.
Although the theft surfaced this month, there are strong suggestions the process began much earlier. In fact, 19 days before the announcement went public.
Fortress Network confirmed the attack in a tweet soon after it happened. A cry for help in apprehending the culprit also followed its announcement. The DeFi lending protocol admitted to being “absolutely devastated” by the attack.
Fortress has been hit with what we believe is an oracle manipulation attack draining all funds. We are investigating to determine the exact method of attack.
PLEASE DO NOT SUPPLY ANY ASSETS TO FORTRESS! https://t.co/o0Sqznl2wP
— Fortress Protocol (@Fortressloans) May 9, 2022
How it Happened
Security outfit CreditKAlert shared in a detailed thread on Twitter how the hacker pulled off the heist.
According to the post, the first thing the attacker did was buy $FTS tokens using Ethereum, purchased with Tornado Cash.
He purchased enough to exceed the quorum of 400,000 needed for votes and collateral. In doing so, he was able to dominate the governance contract and pass a proposal (Proposal ID11). An action geared towards changing the collateral component in credit contracts.
Once that was done, it was easy for the attacker to borrow a great deal of assets from the loan contracts. That done, they transferred the funds to Ethereum using the Celer Network before covering their tracks with Tornado Cash.
The attacker was careful. He ran his operations at the beginning and at the end through the privacy protocol provided by Tornado. The mixing protocol on Tornado cash disrupts any link that may exist between sender and receiver on Ethereum, providing a perfect cover.
FTS, the local coin of the Binance Based protocol, has tanked up to 45% since this event.
Rising DeFi Attacks
According to Peckfield, since this year started, DeFi platforms have lost over $1.6 billion in cryptocurrency due to thefts. This is more than was stolen in the whole of 2021 put together.
In the last two months, two high-profile attacks occurred. Axie’s Ronin network suffered the biggest damage, losing more than $600 million. In a similar fashion, Inverse Finance lost more than $15 million worth of assets. While also last month, Rari’s Fuse Protocol fell victim to the second biggest hack yet this year.
In the wake of the Fortress breach, Peckfield and Bloc Sec. security firms have suggested Umbrella Network’s erratic price feed might have also contributed to the hack’s success. The DeFi oracle responded that an investigation was underway and that they had already dispatched a hotfix to deal with the issue.