Fortress, decentralized finance (DeFi) lending protocol with an algorithmic money market and a synthetic stablecoin, has suffered an oracle price manipulation attack that resulted in the loss of all of its funds.
"Fortress has been hit with what we believe is an oracle manipulation attack draining all funds," the project said on Twitter. "We are investigating to determine the exact method of attack."
We are absolutely devastated. We will provide updates as soon as any information is available. This is the address that implemented the attack: https://t.co/w50HllxffnTransaction that started the oracle attack: https://t.co/AGAqCVc1f1
Blockchain security firm PeckShield also tweeted about the attack, saying that ETH 1,048 (USD 2.58m) and DAI 400,000, cumulatively worth around USD 2.98m, were stolen from the project. Fortress provided the same numbers.
Fortress is an algorithmic money market and synthetic stablecoin protocol designed to bring credit and lending to users on Binance Smart Chain (BSC).
After exploiting the protocol, the attacker bridged all stolen funds to Ethereum (ETH) before depositing them into the popular crypto mixer Tornado Cash, Etherescan transactions show.
Blockchain security firm Blocksec detailed that the Chain oracle used by Fortress lacked power verification, which enabled anyone to hijack it.
"The `submit` function of the Chain oracle can be called by anyone and doesn’t have a power verification," BlockSec said on Twitter, adding that the attacker called this function and changed the price of the project's native token FTS directly.
Moreover, the attacker used USD 8,000 and purchased FTS 296,193 to "vote for a proposal that added the FTS token as collateral." Subsequently, the attacker was able to use FTS
Read more on cryptonews.com