The Fortress protocol — an algorithmic money market and DeFi lending protocol — has drained all funds following an oracle manipulation attack. The stolen cryptocurrencies have since been bridged from Binance Smart Chain to Ethereum and mixed using the privacy protocol Tornado Cash.
On Monday, blockchain security firm CertiK shared information about the hack with CryptoPotato. The first is that the hackers used ETH to buy a large amount of FTS — the governance token that governs the FTS protocol.
The quorum for the Fortress loan governance contract is 400,000 FTS. At the time of the hack, this was only worth $18,000, and represented fewer coins than the attackers held. In other words, he now has the power to change the proposal through any protocol he likes.
Therefore, he passed proposal ID 11, which changed the collateral factor of FTS tokens in loan contracts from 0 to 700,000,000,000,000,000. He also updated the price oracle used by the loan contract to update the price of the token even with zero voting power.
“With these updates, the value of the attacker collateral (FTS) has increased significantly, so the attacker was able to borrow large amounts of other tokens from the loan contract,” CertiK explained on Twitter.
The attacker used his remaining FTS to borrow a large amount of tokens, which he converted into over 1000 ETH and over 400,000 DAI – worth over $3 million at the time of the hack. He then deployed a self-destructing mechanism in the malicious smart contract and quickly transferred the loot to Tornado Cash.
The Stronghold Protocol team said they were “completely devastated” by yesterday’s events. They called on the community not to deposit any assets in Fortress and called on all available partners to assist in recovering funds.
Tornado Cash: The crime tool of choice
Both the ETH needed to buy the hacker’s initial FTS and the ETH representing the hacker’s loot go in and out through Tornado Cash. The hybrid protocol breaks the link between sender and receiver addresses on Ethereum, allowing hackers to hide their identities from start to finish.
The same protocol has worked well for many cryptocurrency thieves over the past few months. The individual or group behind the $600 million Ronin hack in March is now solely responsible for 15 percent of the funds deposited into the mixer.
In January, approximately $14.6 million worth of ETH stolen from Crypto.com was laundered through Tornado.
Binance Free $100 (Exclusive): Use this link to sign up and get your first month of Binance Futures $100 free and 10% in fees (terms).
PrimeXBT Special Offer: Use this link to sign up and enter code POTATO50 to get a deposit of up to $7,000.