Raft Protocol loses $6,700,000 in Smart Contract Exploit

Summary

On November 10, 2023, Raft Protocol experienced an exploit resulting in a loss of about 1,575 cbETH. The exploiter employed a sophisticated multistep attack strategy focusing on a smart contract’s precision calculation vulnerability. Initially, the attacker obtained cbETH through a flash loan before donating and liquidating the cbETH to the Interest Rate Position Manager. This maneuver manipulated the collateral token’s index rate, allowing the exploiter to systematically increase their position in small increments, exploiting a rounding issue in the mint function. This strategy enabled repeated minting of cbETH, resulting in the unauthorized creation of approximately 6.003 quadrillion tokens. However, the attacker missed an important aspect of a connected smart contract essential for transferring funds and sent 1,577.57 ETH to a burn wallet.

Attackers

The identity of the attacker is unknown. The following addresses are associated with this attack:

Losses

Raft lost approximately $6,700,000 during the attack.

Timeline

Security Failure Causes

  • Smart Contract Vulnerability: The exploit was a direct consequence of a loophole in the smart contract code. Specifically, a critical precision calculation vulnerability in the token minting process allowed unauthorized minting of R tokens.
  • Audit Ineffectiveness: Despite undergoing prior security audits, this particular vulnerability was not detected, indicating a possible deficiency in audit scope or depth.