On 10 November 2023 at 18:59:23 UTC, Raft encountered a complex security incident, resulting in the minting of ~$6.7 million unbacked R, subsequently, the attacker sold R, causing R's depeg.
A public announcement of the exploit was made on 10 November 2023 at 19:18 UTC.
Exploited Contract (InterestRatePositionManager): https://etherscan.io/address/0x9ab6b21cdf116f611110b048987e58894786c244
The sequence of actions taken by the attacker was as follows:
Borrowed 6,000 cbETH from AAVE via a flash loan.
Transferred a total of 6,001 cbETH to the InterestRatePositionManager contract.
Liquidated a pre-created position on the InterestRatePositionManager contract.
Set the index of the raft collateral indexable token to 6,003,441,032,036,096,684,181, which is the cbETH balance of the InterestRatePositionManager contract and was amplified over 1000 times due to the donation in step 2. (Source: MetaTrust Labs)
Repeated step 5 sixty times to acquire 60 wei shares, equivalent to 10,050 cbETH.
Redeemed 6,003 cbETH with only 90 wei rcbETH-c.
The 6.7m R minted was swapped for 1575 ETH (worth $3.6M) through the following pools:
R/sDAI on Balancer: 2.1 million R for 2 million sDAI,
R/DAI on Balancer: 1.2 million R for 1.15 DAI, and
R/USDC on Uniswap: 200,000 R for 86,000 USDC.
The primary root cause was a precision calculation issue when minting share tokens, which enabled the exploiter to obtain extra share tokens. The attacker leveraged the amplified index value to increase the worth of their shares, allowing them to redeem a nominal amount of rcbETH-c for a significant quantity of cbETH and subsequently borrow substantial amounts of R.
The exploited Raft smart contracts were audited by Trail of Bits and Hats Finance. Unfortunately, the vulnerabilities that led to the incident were not detected in these audits.
We are committed to working closely with the community to enhance the security measures and reinforce the resilience of Raft and the crypto ecosystem as a whole.
A police report has been filed and we are working with law enforcement, centralized exchanges, and other parties to identify the attacker.
We are working on a detailed recovery plan to compensate all users affected by the incident as much as possible and in the fairest way.
A public announcement was issued on 11 November 2023, urging all Raft users to await further updates regarding the recovery plan.
To mitigate further risks, all Raft smart contracts were temporarily paused on 10 November. However, users who have minted R retain the ability to repay their positions and retrieve their collateral.
Raft will release an in-depth recovery plan this week, outlining the steps to address the situation and provide redress for affected users. The Raft community will have the opportunity to provide feedback on the proposed recovery plan before it is concluded and the recovery plan is executed.