Raft Protocol loses $6,700,000 in Smart Contract Exploit

Summary

On November 10, 2023, Raft Protocol experienced an exploit resulting in a loss of about 1,575 cbETH. The exploiter employed a sophisticated multistep attack strategy focusing on a smart contract’s precision calculation vulnerability. Initially, the attacker obtained cbETH through a flash loan before donating and liquidating the cbETH to the Interest Rate Position Manager. This maneuver manipulated the collateral token’s index rate, allowing the exploiter to systematically increase their position in small increments, exploiting a rounding issue in the mint function. This strategy enabled repeated minting of cbETH, resulting in the unauthorized creation of approximately 6.003 quadrillion tokens. However, the attacker missed an important aspect of a connected smart contract essential for transferring funds and sent 1,577.57 ETH to a burn wallet.

Attackers

The identity of the attacker is unknown. The following addresses are associated with this attack:

• 0xc1f2b71a502b551a65eee9c96318afdd5fd439fa

Losses

Raft lost approximately $6,700,000 during the attack.

Timeline

• November 10, 2023, 06:59 PM UTC: Initial malicious transaction occured.
• November 10, 2023, 19:18 UTC: Raft announces security vulnerability in an X post.
• November 11, 2023, 12:30 UTC: Raft posts an update on X informing customers the attack total has increased from $3,300,000 to $6,700,000.
• November 13, 2023: Post Mortem Report is released.
• November 17, 2023, 15:31 UTC: Raft releases updated recovery plan.

Security Failure Causes

• Smart Contract Vulnerability: The exploit was a direct consequence of a loophole in the smart contract code. Specifically, a critical precision calculation vulnerability in the token minting process allowed unauthorized minting of R tokens.
• Audit Ineffectiveness: Despite undergoing prior security audits, this particular vulnerability was not detected, indicating a possible deficiency in audit scope or depth.