A criminal went on the run with over 44 RBTC using price manipulation techniques in a Sovryn lending group.
Sovryn – a decentralized finance protocol based on Bitcoin – had more than $1 million in withdrawals on October 4 through price manipulation. The attack allowed the perpetrator to withdraw more than $1 million in cryptocurrencies from the protocol, including 44.93 RBTC and 211,045 USDT.
Sovryn gets hacked for the first time
According to Sovryn’s blog post on the subject, the attacks specifically target the Sovryn protocol – Borrow/Lend. It affected the RBTC and USDT lending pools .
RBTC and USDT are crypto assets to Bitcoin and US dollar respectively. These coins circulate on Rootstock (RSK), a Bitcoin Sidechain for scaling Bitcoin smart contracts , dapps, and scalability. Sovryn is a Defi protocol built on top of RSK.
“Due to the multi-layered security approach taken, developers can identify and withdraw funds when an attacker is trying to withdraw. At this point, through a combined effort, the developers have managed to recover about half the value of the attack.”
Sovryn spokesman Edan Yago said it was the first successful attack against the protocol in two years of operation. He claims that Sovryn is “one of the most heavily audited Defi systems,” with bonuses for finding bugs in the system.
The attack by manipulating the price of Sovryn’s iToken – an interest-bearing token that represents the cryptocurrency held by users in the lending pool. The price of this token is updated every time the position of the lending pool changes.
How hackers attack the system
First, the attacker bought WRBTC (wrapped RBTC) using a quick swap in RskSwap. He then borrowed more WRBTC from Sovryn’s loan agreement using his own XUSD (another stablecoin) as collateral.
“The attacker then provided liquidity to the RBTC loan contract, closed their loan with a swap using their XUSD collateral, redeemed (burned) their iRBTC tokens, and send WRBTC back to RskSwap to complete fast swap.”
The whole process manipulated the iToken price so that an attacker could withdraw more RBTC from the lending pool than it did on the first deposit.
Sovryn clarified that user funds were not affected by the hack. Any value missing from the lending pools will be added by Exchequer – Sovryn treasury.