Featured image from Pixabay and chart from TradingView.com
Bad actors breach Bitcoin-backed DeFi protocol and steal $1 million
Recently, Sovryn, a Bitcoin-based DeFi protocol, lost $1 million in digital assets through a hack. The hacker carried out the attack through price manipulation and carried off $1 million in crypto, including 44.93 RBTC and 211,045 USDT.
The incessant hack attacks on crypto platforms have become a plague in the crypto industry, leaving questions about who will be next. The series of hacks has left the crypto ecosystem on edge.
Commenting on the news in a blog post, Sovryn said the attackers were targeting the old Sovryn Borrow/Lend protocol. The action affected the RBTC and USDT lending pools.
The Sovryn protocol runs on Rootstock (RSK). RBTC is a Bitcoin-pegged crypto-asset, while USDT is a dollar-pegged stablecoin. Both RSDT and USDT circulate on Rootstock. Rootstock is a side chain of Bitcoin that enabled expansion of Smart Contracts, DApp and increased scalability.
During the Sovryn attack, funds were withdrawn using Sovryn’s exchange features, leading to the removal of many tokens. But Sovryn is trying to get the fund back. Sovryn spokesman Edan Yago said the developers took a multi-layered security approach and recovered half of the funds before the withdrawal.
Sovryn’s hacker manipulated iToken prices
Edan said the attack marks the first successful attack against Sovryn in two years of operation. He further said that Sovryn is the most comprehensive revised DeFi protocol, with active and valuable bug bounty systems.
Sovryn explained that the hack worked through Sovryn’s interest-bearing token (iToken) awards. iTokens are interest-bearing tokens that users have in lending pools. Interest-bearing tokens’ prices are updated every time there is an interaction with a lending pool.
Sovryn’s attacker used flash swaps in RsKSwap to buy wrapped RBTC. He borrowed more wrapped RBTC from Sovryn’s lending contract with his XUSD as collateral. He redeemed the funds by burning iRBTC (interest bearing RBTC) and sent the wrapped RBTC back to RskSwap to complete the flash exchange.
The process changed and manipulated the iRBTC price and allowed the attacker to withdraw more RBTC from the lending pool than the initial deposit.
Sovryn confirmed that users’ funds were not affected during the exploitation, and the Treasury would replace lost value. The State Treasury is Sovryn’s treasury.
Other DeFi Hack Exploits in 2022
The DeFi ecosystem has suffered several hack attacks in 2022. Blockchain security firm PeckShield revealed that hackers stole over $2.32 billion in over 135 exploits from the DeFi ecosystem this year.
Some of the best DeFi hacks of 2022 include the Ronin Network hack, which accounted for a loss of $620 million on March 23. On February 2, the Wormhole Bridge attack also caused a loss of $320 million. Finally, Nomad Bridge was hacked on August 2, and the attackers stole $190 million in cryptocurrency.
The list goes on and on, with more than ten recorded hack attacks in 2022 alone. For example, the Beanstalk Farm exploit caused a loss of $182 million in crypto, and the Wintermute hack caused a loss of $160 million in digital assets.
