Fortress Protocol – an algorithmic money market and defi-lending protocol – was stripped of all funds following an oracle manipulation attack. The stolen crypto has since been bypassed by Binance Smart Chain too Ethereum and mixed with the Tornado Cash privacy protocol.
Buying the log
the BlockchainSecurity firm CertiK shared information about the hack with CryptoPotato on Monday. It started with the hacker using ETH to buy a significant amount of FTS – the governance token that manages the FTS protocol.
The quorum for the Fortress Loans Governance Agreement is 400,000 FTS. That was only worth $18,000 at the time of the hack and represented a smaller number of tokens than the attacker owned. In other words, he now had the power to pass any protocol change proposal he wanted.
As such, he passed Proposal ID 11, which changed the collateral factor for FTS tokens within loan contracts from 0 to 700,000,000,000,000. He also updated the price oracle used by the loan agreement, so the price of the token would be updated even if the voting power was zero.
“With these updates, the value of the attacker’s collateral (FTS) was significantly increased, allowing the attacker to borrow large amounts of other tokens from the loan agreements,” CertiK explained via Twitter.
The attacker used his remaining FTS to borrow a huge number of tokens and converted them into over 1000 ETH and over 400,000 DAI to convert – worth over $3 million at the time of the hack. He then deployed a self-destruct mechanism coded into his malicious smart contract and quickly transferred the stolen goods to Tornado Cash.
The Fortress Protocol team said they were “absolutely devastated” by yesterday’s events. They have urged the community not to deposit assets with Fortress and to assist any available partner in recovering the funds.
Tornado Cash: Criminal tool of choice
Both the ETH required to purchase the hacker’s first FTS and the ETH representing the hacker’s stolen goods came and went through Tornado Cash. The merging protocol breaks the connection between a sender and a receiver address on Ethereum, allowing the hacker to keep their identity a secret from start to finish.
The same protocol has been useful to numerous crypto thieves in recent months. The person or group behind March’s $600 million ronin hack is now solely responsible for putting 15% of the funds into the mixer.
In January, roughly $14.6 million worth of ETH stolen from Crypto.com was laundered by Tornado.
Source: Crypto News Deutsch