Rikkei Finance: Incident Post Mortem

Incident Re-constructed:

  • RiFi lending protocol determines the value of collateral and borrows through a PriceOracle smart contract, which fetches the price of various tokens from ChainLink oracle contracts.
  • The attacker (address: 0x803e0930357ba577dc414b552402f71656c093ab) found a vulnerability in the source code of the PriceOracle smart contract. By manipulating this vulnerability, the attacker could make unauthorized changes to contract addresses used by the PriceOracle.
  • The attacker deployed a fake ChainLink contract to return incorrect prices and then directed the PriceOracle to this fake contract. This action was completed on two instances involving two transactions in quick succession.
  • In the first transaction, the attacker supplied a small amount of BNB as collateral, and by manipulating its value via the false PriceOracle, was able to borrow a large amount of tokens available in the lending markets.
  • In the second transaction, supplied BUSD as collateral, and by manipulating its value via the false PriceOracle, was able to borrow a large amount of tokens available in the lending markets.
  • Once the exploit was detected, all lending and borrowing functions were suspended to protect our users and safeguard the platform.
  • The stolen tokens, worth approximately $1.1M USD, were then converted into BNB through PancakeSwap.
  • It is believed the BNB was then laundered through Tornado.Cash
  • You can see the transactions in detail at: https://bscscan.com/tx/0x93a9b022df260f1953420cd3e18789e7d1e095459e36fe2eb534918ed1687492

The Fix:

Additional Corrective Measures:

  • Update audit after deploying incident fix (report viewable here: https://rikkei.finance/peckshield-audit-report )
  • Revise our release process
  • Redesign our PriceOracle for enhanced security
  • Address large & sudden price movements, mechanisms may include:
  • Additional safety nets:
  • Additional monitoring to detect suspicious changes or activities

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store