- Fortress Protocol has suffered an exploit, and its native token, i.e., FTS, is dropped by 42%.
- Hacker has transferred all the funds, i.e., 1,048.1 ETH and 400,000 DAI, into Tornado Cash. Fortress Team has advised everyone to supply any assets to the prot0col at this moment.
Below is a quick overview of this project.
Fortress is an algorithmic money market and synthetic stable coin protocol designed to bring secure and trustless credit and lending to users on Binance Smart Chain. It enables investors to lend and borrow cryptocurrencies by pledging the platform an over-collateralized amount of cryptocurrency.
What was the Team’s Response to the Attack?
Around 8:18 AM IST, the Fortress team has tweeted and informed the community about this Attack. According to the team, This was an oracle manipulation attack to drain all funds.
Here is the hacker’s address that started the Attack: https://bscscan.com/address/0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad. Next, the transaction address initiated the oracle attack: https://bscscan.com/tx/0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf. Finally, here is the address of its official FTS token: https://bscscan.com/token/0x4437743ac02957068995c48e08465e0ee1769fbe.
All the stolen funds have been bridged to Ethereum and deposited into Tornado Cash. Below is the screenshot of all the transactions into Tornado Cash. The team has tweeted that We need the support of all of our partners and key organizations in the community to assist and try to freeze and bring back the funds! IF THERE IS ANYTHING ANYONE CAN DO, PLEASE DM US!
How did the Attack occur?
This was the case of an oracle manipulation attack. Below is the screenshot of the code bug by PeckShield.
Anyone can hijack the chain oracle used by Fortress Protocol due to the lack of power verification. Below is the screenshot of exploited code by PeckShield.
So basically, the hacker purchased FTS tokens and then took control of the governance contract. After that, he manipulated the loan contracts and finally borrowed a large amount of assets from the loan contracts. Then, finally bridged the funds to Ethereum and sent them to TornadoCash. In the screenshot below, we can see the complete movement of funds.
As crypto hacks are increasing nowadays, our readers should stay alert.