In this article we will take a look back at the exploit that occurred on Rikkei Finance which took place on 15 April 2022. The hacker was able to change the oracle to a malicious smart contract due to a lack of control measures to access the SetOracleData causing a loss of $1.1m.
Rikkei Finance is a DeFi lending and borrowing platform which facilities the lending and borrowing of assets such as NFT’s. There are numerous collateral pools that users can deposit into, and therefore the project needs access to accurate and trustworthy price information via an oracle. If this information is inaccurate, this can lead to malicious actors to take advantage of the mis-pricing of tokens to drain collateral pools. An example of this occurred following the collapse of Terra, where the oracle on the Mirror protocol was mis-pricing LUNA leading to a $2m loss. This example shows how important it is to have accurate and secure oracles. Unfortunately in the case for Rikkei Finance, a critical vulnerability in the access to the oracle led to the loss of $1.1m.
A hacker took advantage of a vulnerability to set a malicious smart contract to essentially replace the legitimate oracle in place for a malicious one. This made the price feeds for the collateral pools to be inaccurate and untrustworthy allowing the malicious actor to take advantage.
Below are the steps that the attacker took to drain collateral pools:
setOracleData() to change the oracle to the original one.
The attacker created two malicious contracts to retrieve the stolen funds from the attack and then deposited into EAO 0x803e… before terminating the contracts. The hacker then deposited the stolen funds into Tornado Cash which totalled 2671 BNB.
The reason why the attacker was able to pull off this attack was due to the fact they could change the oracle via a public function setOracleData(). Rikket finance utilized SimplePriceOracle in Cointroller to calculate the price. However, function
setOracleData() was not restricted and could be manipulated by any user.
Rikkei Finance tweeted a public announcement on the day of the attack confirming that an exploit took place. Furthermore, the team announced that they will take steps to reimburse all those that were affected from the exploit. They also took steps to further secure their price oracle, and an announcement on 7 July 2022 stating that Rikkei Finance is partnering with DAI to allow the project to use its open source oracles.