| title | description | type | network | date | loss_usd | returned_usd | tags | subcategory | vulnerable_contracts | tokens_lost | attacker_addresses | malicious_token | attack_block | reproduction_command | attack_txs | sources | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Rikkei Oracle Replace |
Setting malicious price oracles through unprotected functions |
Exploit |
|
2021-04-15 |
1000000 |
0 |
|
|
|
|
|
forge test --match-contract Exploit_Rikkei -vvv |
|
|
- Call
setOracleDatato set your own oracle for a token - Take favorable loans using the malicious price
The Rikkei Oracle contract did not prevent someone from calling their setOracleData function.
function setOracleData(address rToken, oracleChainlink _oracle) external {
oracleData[rToken] = _oracle;
}Once a malicious oracle is set (the attacer's is here), the attacker can get loans for a monstruous amount of money with little to no collateral.
The attacker:
- Put 0.0001 BNB to get 4995533044307110.024 rBNB.
- Took a loan of 346199.781 USDC with the rBNB.
- Exchanged the USDC for 776.298 WBNB
- Repeated this process with all stablecoins available
- Restored Oracle
- Exit the WBNB through Tornado Cash
- The
setOracleDatahad to be eitherinternalor authenticated.
- Sandbox Public Burn - Unprotected public function allows anyone to cause damage
- DAO maker - Missing access control on critical function
- Polter Finance - Oracle manipulation to drain lending protocol