The rise in the usage of cryptocurrency and blockchain has changed the way traditional financial transactions are done. Various protocols and platforms have been introduced. Decentralized finance (DeFi) enables users to make peer-to-peer financial transactions on public blockchains. Within the DeFi platform, various protocols handle financial transactions. These protocols have been in the crosshairs of cybercriminals that have deprived many users of their digital currency and caused millions of financial losses. Out of many DeFi protocols, Rikkei was also one which got targetted by hackers
What is Rikkei Finance?
Rikkei Finance also known as “RiFi” is a blockchain-based Decentralized finance protocol that deals with financial transactions on public ledgers. Since the protocol uses blockchain it enables cross-chain integration that enables users to receive digital assets from the different blockchain networks. Another feature of this protocol is rendering the digital assets at an identical rate making it a real-time currency exchange.
Rikkei Finance Hack: How did it happen and what went wrong?
The incident was recorded by various blockchain-based security solutions providers and platforms. The hack occurred at approximately 11:18 on April 15, 2022 (Beijing Time). According to “Know Chuangyu blockchain Security Laboratory” 2600 BNB (approximately $1.085 million) were stolen and transferred to the hacker via Tornado cash which is a decentralized privacy solution built on Ethereum.
The hack was acknowledged by Rikkei Finance in a press release
Source: Twitter
RiFi assured that it will compensate all of its users that were affected by the hack.
Analysis of the Hack
RiFi platform uses PriceOracle smart contract that is utilized to fetch a price of various tokens from ChainLinks oracle contracts. The hacker found a vulnerability in the source code of the PriceOracle smart contract through which he was able to make unauthorized changes to the contract addresses.
Below images show the entire hack event that involves various token transfers to different addresses
Source: Knowseclab.com
Source: Knowseclab.com
From the above images following information is extracted
- Attack contract: 0xe6df12a9f33605f2271d2a2ddc92e509e54e6b5f 0x9ae92cb9a3ca241d76641d73b57c78f1bcf0b209
- Attacker address: 0x803e0930357ba577dc414b552402f71656c093ab
- Malicious oracle address: 0xa36f6f78b2170a29359c74cefcb8751e452116f9 0x99423d4dfce26c7228238aa17982fd7719fb6d7f
- Attack tx: 0x93a9b022df260f1953420cd3e18789e7d1e095459e36fe2eb534918ed1687492 0x4e06760884fd7bfdc076e25258ccef9b043401bc95f5aa1b8f4ff2780fa45d44
- Attacked oracle address: 0xd55f01b4b51b7f48912cd8ca3cdd8070a1a9dba5
The attacker’s flow of attack
The attacker adopted the following flow of attack
- The hacker used the setOracleData() Function in the source code and replaced the Oracle with a malicious one. The below image shows the visibility of the SetOracleData() function whose visibility is public and can be called externally
Source: Knownsec blockchain lab
The actual price before modifying the function value i.e. the token value can be seen in the image below.
(Price Before manipulation)
Modification of rToken
- In the first transaction, initially, a small amount of BNB was supplied as collateral. Collateral in crypto-lending terms is defined as a cryptocurrency asset that the borrower ensures as a guarantee that the loan will be paid. The value of this transaction was manipulated via a false PriceOracle
- In the second transaction, a large number of tokens were borrowed that were available in the lending market. This transaction was made possible by supplying BUSD as collateral and manipulating the value via false PriceOracle
Source: bscscan.com
- The attacker laundered the stolen tokens in a form of BNBs via the tornado cash which was conducted in batches.
Source: bscscan.com
- In this way, the attacker was able to steal 2,600 BNB (about 1.085 million U.S. dollars) by manipulating a platform function whose visibility was set to external which lead to accessing it from an external source
Present and Future mitigation by RiFi
When the hack was detected, RiFi immediately disabled all lending and borrowing functions to protect its users from getting affected. The PriceOracle vulnerability was patched after the incident. Below are some of the additional measures were also mentioned by RiFi for future mitigations against such attacks
- The source code of the platform will be reviewed frequently for any major change in the code
- The release process will be revised
- The function PriceOracle will be redesigned for enhanced security
- Additionally, price anomaly detections will be implemented that may include Price anchoring to PancakeSwap TWAP, and price feeds for referencing.
- Additional safety nets will be deployed such as Time Delay, Time lock on administrative changes to the code, capping on borrowing/limiting
- Reserved liquidity
Additionally, since such a platform uses a lot of different functions and procedure calls it is highly recommended to plan a security code review and security audit before deploying the protocol in the public. Apart from this proper access controls and audit trails should be implemented to detect and respond to future incidents like the one under discussion.