Rikkei Finance: Incident Post Mortem

At 03:18:38 AM +UTC on April 15, 2022, the Rikkei Finance lending and borrowing protocol was attacked. The total impact of the exploit was 2,672 BNB or approximately $1.1M USD.

We issue this incident post mortem to the community to address the questions relating to the attack, our corrective actions as well as longer term measures. As part of our corrective action is to reimburse all impacted users to ensure no one experiences a loss due to this incident of theft. In addition, we are working with law enforcement officials to track down the attackers and bring them to justice.

Incident Re-constructed:

• RiFi lending protocol determines the value of collateral and borrows through a PriceOracle smart contract, which fetches the price of various tokens from ChainLink oracle contracts.
• The attacker (address: 0x803e0930357ba577dc414b552402f71656c093ab) found a vulnerability in the source code of the PriceOracle smart contract. By manipulating this vulnerability, the attacker could make unauthorized changes to contract addresses used by the PriceOracle.
• The attacker deployed a fake ChainLink contract to return incorrect prices and then directed the PriceOracle to this fake contract. This action was completed on two instances involving two transactions in quick succession.

• In the first transaction, the attacker supplied a small amount of BNB as collateral, and by manipulating its value via the false PriceOracle, was able to borrow a large amount of tokens available in the lending markets.
• In the second transaction, supplied BUSD as collateral, and by manipulating its value via the false PriceOracle, was able to borrow a large amount of tokens available in the lending markets.
• Once the exploit was detected, all lending and borrowing functions were suspended to protect our users and safeguard the platform.
• The stolen tokens, worth approximately $1.1M USD, were then converted into BNB through PancakeSwap.
• It is believed the BNB was then laundered through Tornado.Cash
• You can see the transactions in detail at: https://bscscan.com/tx/0x93a9b022df260f1953420cd3e18789e7d1e095459e36fe2eb534918ed1687492

• You can view the Tornado.Cash transaction details here: https://bscscan.com/address/0x803e0930357ba577dc414b552402f71656c093ab

The Fix:

We have identified and understand the underlying vulnerability in the code and have deployed updates to address the vulnerable PriceOracle. In addition, we will begin repaying impacted users starting on April 19, 2022. We target to have all reimbursements completed and restore both liquidity as well as lending and borrowing services of the platform by April 22, 2022.

Additional Corrective Measures:

This incident has been a painful learning experience. Beyond the instant fix, we will also look at additional corrective measures to mitigate risk of future exploits.

• Update audit after deploying incident fix (report viewable here: https://rikkei.finance/peckshield-audit-report )
• Revise our release process
• Redesign our PriceOracle for enhanced security
• Address large & sudden price movements, mechanisms may include:

+Price anchoring to PancakeSwap TWAP

+Multiple price feeds for referencing

• Additional safety nets:

+Time delay / Time lock on Administrator or configuration actions

+Borrow limit / Borrow cap

+Mandatory reserved liquidity

• Additional monitoring to detect suspicious changes or activities

We remain committed to our users, our investors and our platform. We are determined to learn from our mistakes and look towards the future. A sincere thank you to those who support us.