Sovryn — a Bitcoin-based decentralized finance protocol — had more than $1 million in funds withdrawn on Tuesday using price-manipulating mining.
One miner went on the run with over 44 RBTC using a price manipulation technique in one of the protocol’s lending pools.
The attack allowed the perpetrator to withdraw more than $1 million in cryptocurrencies from the protocol, including 44.93 RBTC and 211,045 USDT.
Sovryn’s first hack
According to Sovryn’s blog post on the topic, the attacks specifically target the Sovryn Borrow/Lend protocol. It affected the RBTC and USDT lending pools.
RBTC and USDT are crypto asset prices pegged to Bitcoin and US dollar respectively. In this case, they circulate on Rootstock (RSK), a Bitcoin sidechain meant to scale Bitcoin smart contracts, dapps, and scalability. Sovryn is a Defi protocol built on top of RSK.
Some of the funds appear to have been withdrawn using Sovryn’s AMM swap function, meaning the attacker ended up with a number of different tokens. Fundraising efforts are still ongoing.
“Due to the multi-layered security approach taken, developers are able to identify and recover funds when an attacker is trying to withdraw funds,” the post said. “At this point, through an aggregated effort, the developers have managed to recover about half the value of the mining.”
Sovryn spokesman Edan Yago said it was the first successful exploit against the protocol in two years of operation. He asserts that Sovryn is “one of the most heavily audited Defi systems,” with active and valid bug bounties.
Mining works by manipulating the price of Sovryn’s iToken – an interest-bearing token that represents the portion of crypto that users hold in the lending pool. The price of this token is updated every time it interacts with the lending pool location.
How the funds are withdrawn
First, the attacker purchased WRBTC (wrapped RBTC) using flash swaps in RskSwap. He then borrowed more WRBTC from Sovryn’s loan contract using his own XUSD (another stablecoin) as collateral.
“The attacker then provided liquidity to the RBTC loan contract, closed their loan with a swap using their XUSD collateral, redeemed (burned) the iRBTC token. their WRBTC and send WRBTC back to RskSwap to complete the quick swap,” the post continued.
The whole process manipulated the iToken price so that an attacker could withdraw more RBTC from the lending pool than it did on the first deposit.
Sovryn clarified that user funds were not affected by the hack. Any value missing from the lending pools will be rejected by Exchequer – Sovryn treasury.