Raft Security Incident: Post-Mortem Analysis and Recovery Plan

On 10 November 2023 at 18:59:23 UTC, Raft encountered a complex security incident, resulting in the minting of ~$6.7 million unbacked R, subsequently, the attacker sold R, causing R's depeg.

A public announcement of the exploit was made on 10 November 2023 at 19:18 UTC.

The Incident

Exploit Transaction: https://etherscan.io/tx/0xfeedbf51b4e2338e38171f6e19501327294ab1907ab44cfd2d7e7336c975ace7

Raft Exploiter: https://etherscan.io/address/0xc1f2b71a502b551a65eee9c96318afdd5fd439fa

Exploited Contract (InterestRatePositionManager): https://etherscan.io/address/0x9ab6b21cdf116f611110b048987e58894786c244

The sequence of actions taken by the attacker was as follows:

  • Borrowed 6,000 cbETH from AAVE via a flash loan.

  • Transferred a total of 6,001 cbETH to the InterestRatePositionManager contract.

  • Liquidated a pre-created position on the InterestRatePositionManager contract.

  • Set the index of the raft collateral indexable token to 6,003,441,032,036,096,684,181, which is the cbETH balance of the InterestRatePositionManager contract and was amplified over 1000 times due to the donation in step 2. (Source: MetaTrust Labs)

Source: MetaTrust Labs
Source: MetaTrust Labs
  • Minted 1 wei share with only 1 wei cbETH, exploiting the divUp function's behavior.
Source: MetaTrust Labs
Source: MetaTrust Labs
  • Repeated step 5 sixty times to acquire 60 wei shares, equivalent to 10,050 cbETH.

  • Redeemed 6,003 cbETH with only 90 wei rcbETH-c.

Source: MetaTrust Labs
Source: MetaTrust Labs
  • The 6.7m R minted was swapped for 1575 ETH (worth $3.6M) through the following pools:

    • R/sDAI on Balancer: 2.1 million R for 2 million sDAI,

    • R/DAI on Balancer: 1.2 million R for 1.15 DAI, and

    • R/USDC on Uniswap: 200,000 R for 86,000 USDC.

Source: MetaTrust Labs
Source: MetaTrust Labs
  • Burned 1,570 ETH
Source: MetaTrust Labs
Source: MetaTrust Labs

Root Cause

The primary root cause was a precision calculation issue when minting share tokens, which enabled the exploiter to obtain extra share tokens. The attacker leveraged the amplified index value to increase the worth of their shares, allowing them to redeem a nominal amount of rcbETH-c for a significant quantity of cbETH and subsequently borrow substantial amounts of R.

Audit Status

The exploited Raft smart contracts were audited by Trail of Bits and Hats Finance. Unfortunately, the vulnerabilities that led to the incident were not detected in these audits.

We are committed to working closely with the community to enhance the security measures and reinforce the resilience of Raft and the crypto ecosystem as a whole.

Post-Incident Actions

A police report has been filed and we are working with law enforcement, centralized exchanges, and other parties to identify the attacker.

We are working on a detailed recovery plan to compensate all users affected by the incident as much as possible and in the fairest way.

A public announcement was issued on 11 November 2023, urging all Raft users to await further updates regarding the recovery plan.

To mitigate further risks, all Raft smart contracts were temporarily paused on 10 November. However, users who have minted R retain the ability to repay their positions and retrieve their collateral.

Upcoming Steps

Raft will release an in-depth recovery plan this week, outlining the steps to address the situation and provide redress for affected users. The Raft community will have the opportunity to provide feedback on the proposed recovery plan before it is concluded and the recovery plan is executed.

Subscribe to Raft
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
This entry has been permanently stored onchain and signed by its creator.