DeFi protocol Fortress lost all funds in hack

What’s new? On May 9, Fortress, a DeFi protocol, was hacked, resulting in the theft of all of the platform’s funds ($3 million). The stolen cryptocurrency was diverted from the Binance Smart Chain to Ethereum and mixed using the Tornado Cash transaction mixer. This was made possible due to a decentralized autonomous organization (DAO) and the manipulation of a price oracle. The quorum votes on Fortress Credits governance contract was 400 000 FTS ($18 000 at the time of the hack). This was reported by the cybersecurity company CertiK on Twitter.

7. With these updates, the value of the attacker's collateral (FTS) was raised significantly, so the attacker was able to borrow large amounts of other tokens from the loan contracts.8. The attacker converted borrowed tokens to ETH and DAI, and sent them to @TornadoCash. 👀— CertiK Alert (@CertiKAlert) May 9, 2022

Details of the hack. The attackers needed ETH, which they obtained through Tornado Cash, to initiate the attack. After that, they were able to buy the governance tokens of the FTS protocol. The hackers then accepted proposal ID 11 which changed the collateral factor on FTS tokens within loan contracts. With the acquired governance tokens, the attackers voted for their proposal. They also added FTS to the loan contracts as collateral. After the proposal was passed, the hackers changed the collateral factor on FTS tokens within loan contracts from 0 to 700 000 000 000 000 000. They also updated the price oracle so that the value of the token would change even if no one voted to change the price. The attackers converted the tokens into 1000 ETH and 400 000 DAI and withdrew them via Tornado Cash.

What events happened before? On April 30, Saddle Finance, an exchange, lost $10 million in a hack. The attackers managed to withdraw 3540 ETH. BlockSec was able to save another $3,8 million from the hackers with its attack detection system.

At the end of April, hackers withdrew more than $80 million from the Rari Capital and Fei Protocol DeFi platforms. They exploited a re-entry vulnerability in Rari Capital’s Fuse pools lending protocol. Fei offered the attackers to keep $10 million of the stolen funds as a “reward” if the remaining funds were returned.

According to a report by the cybersecurity company CertiK, $1,67 billion was stolen from DeFi protocols in the first four months of 2022. For March, the largest amount stolen was $719,2 million. That month’s figure surpassed the total losses from hacking for all of 2020 by $200 million.