A hacker got over 44 RBTCs on a Bitcoin-based finance protocol and escaped. He executed the transaction using a price manipulation technique in one of the protocol’s lending pools. Here are the details…
Price manipulation in Bitcoin-based protocol
Sovryn, a Bitcoin-based decentralized finance protocol, faced a price manipulation on Tuesday. On top of that, over $1 million of funds were emptied. The attack resulted in the hacker stealing over $1 million in crypto from the protocol, including 44.93 RBTC and 211,045 USDT. Sovryn shared a blog post on the subject. According to the statement, the attacks specifically targeted the old Sovryn Borrow/Lend protocol. So this also affected the RBTC and USDT loan pools. However, Sovryn clarified that user funds were not affected by the attack. Any missing value in the lending pools will be re-injected by the Exchequer, the Sovryn treasure.
RBTC and USDT are cryptocurrencies pegged to Bitcoin and the US dollar, respectively. In this case, the coins are circulating on Rootstock (RSK), a Bitcoin sidechain that aims to expand Bitcoin’s smart contract, dapp, and scaling capabilities. Sovryn is a Defi protocol built on RSK. It seems that some of the funds are being withdrawn using Sovryn’s automatic market maker (AMM) function. This means that the attacker has seized several different tokens. Efforts to recover funds are still ongoing.
How did the hack happen?
According to Sovryn’s post, they noticed the attack thanks to the multi-layered security approach taken. That is, they stated that the attacker was spotted trying to withdraw the funds. At this point, with a concerted effort, the developers were able to recover about half of the value lost by the attack. Sovryn spokesman Edan Yago said it was the first “successful” attack against protocol after two years of operation. He claimed that Sovryn is “one of the most heavily audited DeFi systems” with “bug bounty” with valuable and active bug bounties.
The hacking took place through Sovryn’s manipulation of the iToken price. These tokens represent the share of cryptocurrency a user owns in the lending pool. It also provides interest. The price of this token is updated every time it interacts with the lending pool. First, the attacker bought WRBTC (wrapped RBTC) using a flash transaction on RskSwap. Then he used his own XUSD (another stablecoin) as collateral. Borrowed additional WRBTC from Sovryn’s lending contract. Sovryn’s post included the following statements:
The attacker then provided liquidity to the RBTC loan contract. He closed his loan with a transaction using XUSD collateral, used iRBTC tokens. Flash sent WRBTC back to RskSwap to complete the transaction.
