Themis Protocol Suffers $370,000 Loss in Exploit

Summary

On June 27, 2023, Themis Protocol, a decentralized lending and borrowing platform on the Arbitrum One chain, fell victim to a sophisticated exploit involving a flawed price oracle, leading to a loss of approximately $370,000. The attacker manipulated the Balancer LP token price by exchanging tokens within the Balancer pool, thus affecting the oracle’s valuation of the pool’s tokens. By utilizing flash loans and a series of calculated transactions, the exploiter was able to inflate the price of the Balancer LP tokens and borrow assets far exceeding their collateral, eventually laundering a portion of the stolen assets through Tornado Cash.

Attackers

The identity of the attacker is unknown. The following addresses are associated with this attack:

Losses

Themis Protocol lost approximately $370,000 in total.

Timeline

Security Failure Causes

  • Price Oracle Vulnerability: The root cause of the exploit is a weakness in the Balancer LP token price oracle. The attacker manipulated the LP token price by exchanging tokens within the Balancer pool, the price of which is determined by aggregating the total value of all tokens in the pool.