Despite undergoing multiple security audits, Raft, a decentralized U.S. dollar stablecoin protocol, recently fell victim to a security breach resulting in a substantial loss of $6.7 million.
The incident, detailed in a post-mortem report released on November 13th, involved a hacker who had borrowed 6,000 Coinbase-wrapped staked Ether (cbETH) from the decentralized finance platform Aave.
This borrowed cbETH was then transferred to Raft, where the attacker exploited a smart contract glitch to mint an astonishing 6.7 million R tokens, which constitute Raft’s stablecoin.
The ill-gotten funds were promptly funneled off the platform through liquidity pools on decentralized exchanges Balancer and Uniswap, ultimately yielding the hacker $3.6 million in gains.
The attack had a detrimental impact on the R stablecoin’s peg to the U.S. dollar.
The post-mortem report identified the primary cause of the incident as a precision calculation issue when minting share tokens, enabling the attacker to amass extra share tokens.
The attacker capitalized on the amplified index value, significantly boosting the value of their shares.
This security lapse went unnoticed despite the smart contracts having undergone audits by blockchain security firms Trail of Bits and Hats Finance, highlighting the unfortunate inability of these audits to detect the vulnerabilities that led to the breach.
READ MORE: Spanish Regulator Takes Action Against Fraudulent Crypto Promoters
In response to the incident, Raft has taken a series of measures.
They have filed a police report and are collaborating with centralized exchanges to trace the flow of the stolen funds.
Currently, all of Raft’s smart contracts remain suspended. However, users who had minted R tokens still have the option to settle their positions and recover their collateral.
This event serves as another sobering reminder of the ongoing challenges and risks associated with decentralized stablecoins.
It underscores the critical importance of implementing robust security measures and maintaining vigilance within the DeFi space.
This incident is not an isolated case within the decentralized stablecoin realm.
In December 2022, the decentralized stablecoin HAY also experienced a depegging from the U.S. dollar due to a hacker exploiting a smart contract glitch, enabling them to mint 16 million HAY tokens without proper collateral.
HAY has since managed to reestablish its peg, partly due to the protocol’s requirement of a collateralization ratio of 152% at the time of the exploit, which served as a risk management safeguard.
Discover the Crypto Intelligence Blockchain Council
