In brief ⚡
On the 11th of November 2023, Raft Fi on Ethereum chain was attacked. The attack was made possible due to due to a precision loss issue. Around 1577 Ether were stolen by the attacker. However, the attacker mistakenly burnt 1570 of them, ultimately resulting in a net profit of -4 Ether
Hacks and Scams⚠️
Raft Fi
Amount of Loss: ~ $6.7M
Analysis
Exploit on Raft occurred on November 11, 2023, resulting in the minting of approximately $6.7 million unbacked R.
Attacker used a flash loan to borrow 6,000 cbETH from AAVE and manipulated the InterestRatePositionManager contract.
Exploiter executed a sequence of actions, including liquidating a pre-created position, minting shares with a precision calculation issue, and redeeming cbETH for a significant amount.
Attacker swapped the minted R for 1575 ETH through various pools on Balancer and Uniswap, burning 1,570 ETH in the process.
Root cause identified as a precision calculation issue during share token minting, not detected in audits by Trail of Bits and Hats Finance.
Post-incident actions included filing a police report, working on a recovery plan to compensate affected users, and temporarily pausing all Raft smart contracts.
Read Post Mortem report here.
Explore the Depths of Knowledge: Research Papers, Blogs and Tweets🔖
Tweets
Can finally share what @zachobront and I have been working on last year. TLDR: Attacker can break...
GitHub Repos
Articles
Web3 Community Spotlight🔦
Note - all the respective links has been embedded in the image
Exciting News: World's First Web3 Security Hackathon We are thrilled to announce the world's first Web3 Security Hackathon! We have many smart contract development-focused hackathons, but no hackathons focused on the security of these smart contracts.
Introducing our security tracks for QuillCon: CodeQuest We invite all buidlers to buidl for these exciting tracks with exclusive track sponsors and prizes to be announced soon!
Ethereum stands out among smart contract blockchains, largely due to the substantial impact of Layer 2 solutions on its rise.
Thanks for reading HashingBits! Share a summary of our newsletter on your social media platforms, tag us, and use the #AwareToEarn hashtag, and you could win 10 USDT as a reward! Help us build a safer Web3 ecosystem and have a chance to earn rewards and support our work.