The operators of decentralized finance (DeFi) lending and credit protocol Fortress announced on Sunday that about $3 million worth of cryptocurrency was stolen during a oracle manipulation attack.
The company — which bills itself as a money market and stablecoin protocol on the Binance Smart Chain — explained in a series of tweets that the digital assets were stolen and deposited into cryptocurrency mixing service Tornado.
“Fortress has been hit with what we believe is an oracle manipulation attack draining all funds. We are investigating to determine the exact method of attack. PLEASE DO NOT SUPPLY ANY ASSETS TO FORTRESS!” the company said.
We are absolutely devastated. We will provide updates as soon as any information is available.— Fortress Protocol (@Fortressloans) May 9, 2022
This is the address that implemented the attack: https://t.co/w50Hllxffn
Transaction that started the oracle attack: https://t.co/AGAqCVc1f1
The theft involved 1,048.1 in Ethereum and 400,000 of the stablecoin known as DAI.
“We need the support of all of our partners and key organizations in the community to assist and try to freeze and bring back the funds! IF THERE IS ANYTHING ANYONE CAN DO PLEASE DM US!” the company said.
The price of the Fortress native token, FTS, has since tanked more than 45%, according to Coinbase.
The FTS price according to Coinbase.
Blockchain security companies PeckShield and BlocSec noted that the chain oracle used by Fortress “can be hijacked by anyone due to the lack of power verification.” Blockchain oracles connect different blockchains with off-chain data.
Both companies explained that the hacker was able to change the price of FTS and used a large purchase of the coin to make other changes.
Last month, DeFi protocol Inverse Finance lost $15 million in a similar price oracle manipulation scam, where an attacker uses the manipulated price of a coin as collateral to drain assets from a DeFi platform.
2/ The attacker called this function and changed the price of FTS directly. Furthermore, the attacker used $8000 to buy 296,193 FTS to vote for a proposal that add the FTS token as collateral. pic.twitter.com/Xs3Qg8Cem4— BlockSec (@BlockSecTeam) May 9, 2022
Blockchain security firm PeckShield also warned DeFi data oracle Umbrella Network about its involvement in the incident. The company released its own statement saying it is “aware of the recent exploits that may have stemmed from an Umbrella Network price feed error.”
“We’re currently looking into the matter with our team and partners. We have already deployed a hotfix to address the issue that was identified by our internal team, and corroborated by PeckShield,” Umbrella Network wrote.
The Fortress Protocol was built by developers with the Jetfuel Finance Multi Chain Ecosystem. That company sent out its a statement, notifying its users that supply and borrow features on the Fortress Loans app have been disabled “until further notice.”
“This only impacts the UI of the website, all smart contracts are still operational. There is a FIP in place now to reset the $FTS collateral factor back to 0%,” they explained.
PeckShield said that as of May 1, more than $1.57 billion in cryptocurrency has been stolen from DeFi platforms in 2022, already surpassing 2021’s total of $1.55 billion.