Bitcoin-based decentralized finance protocol Sovryn suffered a major exploit on Tuesday, with a hacker draining $1.1 million from the protocol.
The hacker exploited a legacy function to drain the protocol, using a price manipulation technique in one of the protocol’s lending pools.
Details Of The Hack
Sovryn published a blog post detailing the attack, which specifically targeted the legacy Sovryn Borrow/Lend protocol, which impacted the RBTC and USDT lending pools. The attack allowed the hackers to drain over $1 million worth of crypto from the protocol, which also included 211,045 USDT and 44.93 RBTC.
RBTC and USDT are pegged to Bitcoin and the US Dollar. In the case of Sovryn, they are based on Rootstock (RSK), a sidechain of Bitcoin which is designed to expand the latter’s smart contract, decentralized application (dApp), and scaling capabilities. The Sovryn protocol is built on the RSK blockchain. Details of the hack were shared on Twitter by a handle called @web3isgreat, which stated,
“Bitcoin-based DeFi protocol, Sovryn, lost $1 million to a price manipulation attack. An exploiter was able to use the project’s legacy lend and borrow functionality to maliciously withdraw 44.93 RBTC (~$915,000) and 211,045 USDT.”
The attacker also used Sovryn’s AMM swap function to withdraw some of the funds, which meant they ended up with several different types of tokens. The blog post also added that the efforts to recover the funds are still ongoing.
“Due to the multi-layered security approach taken, devs were able to identify and recover funds as the attacker was attempting to withdraw the funds. At this point, through a combined effort, devs have managed to recover about half the value of the exploit.”
First Hack Suffered By Sovryn
According to Sovryn spokesperson Edan Yago, the exploit was the first ever successful exploit of the protocol in its two years of operations. He went on to stress that Sovryn, despite the hack, remains one of the most heavily audited DeFi systems, with several active bug bounties. The exploit manipulated Sovyrn’s iToken price, which are interest-bearing tokens that represent the share of crypto held by a user in a lending pool.
How The Exploit Worked
The hacker first purchased WRBTC (Wrapped RBTC) through a flash swap on RskSwap. After this, the hacker borrowed WRBTC from Sovryn’s lending contract, utilizing their own XUSD as collateral. The blog post further elaborated,
“The attacker then provided liquidity to the RBTC lending contract, closed their loan with a swap using their XUSD collateral, redeemed (burned) their iRBTC token, and sent the WRBTC back to RskSwap to complete the flash swap.”
This process helped the hacker to manipulate the iToken price, allowing them to withdraw more RBTC from the targeted lending pool than was initially deposited. However, Sovryn stated that the hack did not impact user funds in any way and that any missing value from the lending pools will be compensated through the Sovryn treasury.
What Next?
Sovryn also shed light on how the protocol will handle the issue moving forward. In the blog post, the company stated that efforts to recover assets from the hacker would continue, and a full investigation into the exploit would be launched. The team at Sovryn is also working on a plan to return the system to full functionality. However, it added that the maintenance mode would remain in place until there is complete confidence in system safety. It also added that a post-mortem report would also be published once the investigation is complete.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.