The team behind the protocol is “absolutely devastated” after its governance was effectively bought out by a malicious actor.
Fortress Protocol – an algorithmic money market and defi lending protocol – has been drained of all funds following an oracle manipulation attack. The stolen crypto has since been bridged from Binance Smart Chain to Ethereum and mixed using the privacy protocol Tornado Cash.
Buying Out the Protocol
Blockchain security firm CertiK shared information about the hack with CryptoPotato on Monday. It began with the hacker using ETH to purchase a substantial amount of FTS – the governance token managing the FTS protocol.
The quorum votes on Fortress loans’ governance contract is 400,000 FTS. That was worth just $18,000 at the time of the hack and represented a smaller number of tokens than the attacker held. In other words, he now held the authority to pass any protocol change proposal that he liked.
As such, he passed proposal ID 11, which changed the collateral factor on FTS tokens within loan contracts from 0 to 700,000,000,000,000,000. He also updated the price oracle used by the loan contract such that the token’s price would update, even if voting power was zero.
“With these updates, the value of the attacker’s collateral (FTS) was raised significantly, so the attacker was able to borrow large amounts of other tokens from the loan contracts,” explained CertiK over Twitter.
The attacker used his remaining FTS to borrow a massive number of tokens, and convert them to over 1000 ETH, and over 400,000 DAI – worth over $3 million at the time of the hack. He then deployed a self-destruct mechanism encoded into his malicious smart contract and swiftly transferred the stolen goods to Tornado Cash.
The fortress protocol team said they are “absolutely devastated” by yesterday’s events. They have called on the community to not deposit any assets into Fortress, and for all available partners to assist in reclaiming the funds.
Tornado Cash: Criminal Tool of Choice
Both the ETH required to purchase the hacker’s initial FTS, and the ETH representing the hacker’s stolen goods came and went through Tornado Cash. The mixing protocol breaks the link between a sender and receiver’s address on Ethereum, letting the hacker keep his identity concealed from start to finish.
The same protocol has been useful to numerous crypto thieves over the past few months. The person or group behind the $600 million Ronin hack in March is now solely responsible for 15% of funds being deposited into the mixer.
In January, an approximate $14.6 million in ETH stolen from Crypto.com was laundered through Tornado.