Back to all stories
Incident Analysis
Revisiting Rikkei Finance Exploit
Revisiting Rikkei Finance Exploit

In this article we will take a look back at the exploit that occurred on Rikkei Finance which took place on 15 April 2022. The hacker was able to change the oracle to a malicious smart contract due to a lack of control measures to access the SetOracleData causing a loss of $1.1m.

Event Summary

Rikkei Finance is a DeFi lending and borrowing platform which facilities the lending and borrowing of assets such as NFT’s. There are numerous collateral pools that users can deposit into, and therefore the project needs access to accurate and trustworthy price information via an oracle. If this information is inaccurate, this can lead to malicious actors to take advantage of the mis-pricing of tokens to drain collateral pools. An example of this occurred following the collapse of Terra, where the oracle on the Mirror protocol was mis-pricing LUNA leading to a $2m loss. This example shows how important it is to have accurate and secure oracles. Unfortunately in the case for Rikkei Finance, a critical vulnerability in the access to the oracle led to the loss of $1.1m.

A hacker took advantage of a vulnerability to set a malicious smart contract to essentially replace the legitimate oracle in place for a malicious one. This made the price feeds for the collateral pools to be inaccurate and untrustworthy allowing the malicious actor to take advantage.

Attack Flow

Below are the steps that the attacker took to drain collateral pools:

  1. The attacker sent 0.0001 BNB to the rBNB contract to mint 4995533044307111 rBNB
  2. The attacker set the oracle to a malicious one via a public function setOracleData()
  3. As the oracle had been replaced, the price of rTokens from the oracle is manipulated. 
  4. The attacker borrowed 346,199 USDC at an advantageous price.
  5. The attacker swapped the USDC gained from step 4 to BNB and sent the BNB to the attack contract.
  6. The attacker repeated step 4 and 5 to drain BTCB, DAI, USDT and BUSD
  7. The attacker use  function setOracleData() to change the oracle to the original one.

The attacker created two malicious contracts to retrieve the stolen funds from the attack and then deposited into EAO 0x803e… before terminating the contracts. The hacker then deposited the stolen funds into Tornado Cash which totalled 2671 BNB.


Contract Vulnerability

The reason why the attacker was able to pull off this attack was due to the fact they could change the oracle via a public function setOracleData(). Rikket finance utilized SimplePriceOracle in Cointroller to calculate the price. However, function setOracleData() was not restricted and could be manipulated by any user.

After Action

Rikkei Finance tweeted a public announcement on the day of the attack confirming that an exploit took place. Furthermore, the team announced that they will take steps to reimburse all those that were affected from the exploit. They also took steps to further secure their price oracle, and an announcement on 7 July 2022 stating that Rikkei Finance is partnering with DAI to allow the project to use its open source oracles.