February 6, 2025
DeFi vulnerability leading to .7M exploit ‘not detected’ by auditors

Decentralized USD stablecoin protocol Raft claims that despite multiple security audits, it suffered a security breach that resulted in a $6.7 million loss last week.

According to the project’s Nov. 13 postmortem ReportA few days ago, a hacker borrowed 6,000 Coinbase-wrapped collateralized ether (cbETH) on decentralized finance protocol Aave, moved the money to Raft, and exploited a smart contract glitch to mint 6.7 million tokens called Raft stablecoin for “R”.

The unauthorized minted funds were then swapped out of the platform through the liquidity pools of decentralized exchanges Balancer and Uniswap, resulting in a net gain of $3.6 million. R stablecoin decoupled after attack.

According to reports:

“The main reason is an issue with the precise calculations when minting stock tokens, which allows attackers to obtain additional stock tokens. Attackers exploit the amplified index value to increase the value of their shares.”

The smart contracts utilized in the incident were audited by blockchain security companies Trail of Bits and Hats Finance. “Unfortunately, these audits did not uncover the vulnerability that led to this incident,” Raft developers wrote.

The project said it has filed a police report since the incident on November 10 and is currently working with centralized exchanges to trace the flow of stolen funds. All Raft’s smart contracts are currently suspended, but users of Mint R “retain the ability to pay off their positions and get back their collateral.”

Decentralized stablecoins are minted using users’ cryptocurrency deposits as collateral. In December last year, a hacker exploited a smart contract glitch to mint 16 million HAY without proper collateral, causing the decentralized stablecoin HAY to decouple from the U.S. dollar. The HAY stablecoin has since been repegged, in part because the protocol requires a collateralization ratio of 152% at the time of utilization as part of risk management.

Related: September Becomes Worst Month for Cryptocurrency Exploits of 2023