Raft, a decentralized USD stablecoin protocol, disclosed a security breach last week, leading to a loss of $6.7 million, despite undergoing multiple security audits. The incident occurred when a hacker borrowed 6,000 Coinbase-wrapped collateralized ether (cbETH) via decentralized finance protocol Aave. The hacker then moved the funds to Raft, minting 6.7 million R tokens, the stablecoin used by Raft, through exploitation of smart contract vulnerabilities.
The unauthorized minted funds were subsequently moved out of the platform using decentralized exchanges like Balancer and Uniswap's liquidity pools, resulting in a net gain of $3.6 million. Following the attack, Raft's stablecoin, R, experienced a decoupling issue due to the exploit. According to reports, the attack stemmed from a flaw in calculating precise values during minting of share tokens, allowing the attacker to obtain extra share tokens by manipulating the amplified index value.
Raft mentioned that the smart contracts involved in the breach had undergone audits by blockchain security firms Trail of Bits and Hats Finance. Unfortunately, these audits failed to identify the vulnerabilities exploited in this incident, as stated by Raft in their statement regarding the breach.
Since the breach on November 10, Raft has reported the incident to law enforcement and is collaborating with centralized exchanges to track the stolen funds' movement. Currently, all of Raft's smart contracts are suspended. However, users minting R still have the option to settle their positions and retrieve their collateral.
Decentralized stablecoins are typically minted using users' cryptocurrency deposits as collateral. In a similar incident in December 2022, hackers took advantage of a smart contract glitch to mint 16 million HAY without appropriate collateral, causing the decentralized stablecoin HAY to decouple from the U.S. dollar. The HAY stablecoin was later restored to its pegged value after the protocol implemented a collateralization ratio of 152% for risk management purposes following the exploit.
