SlowMist: Forensic Analysis of Rikkei Finance Hack (Released in 2022)
On April 15, 2022, due to a malicious attack, almost all of the tokens in Rikkei Finance’s five liquidity pools (USDT, BTC, DAI, USDT, BUSD) were stolen. SlowMist security team shared the analysis results of the replay below:
Rikkei Finance is a DeFi lending platform on BSC.
The following are the relevant addresses involved in the attack:
The fundamental reason for Rikkei Finance’s attack was the lack of permission control in the setOracleDate function call, which allowed the malicious manipulation of the oracle price.
- The attacker used 0.0001 BNB to exchange for some rBNB as collateral, and the rBNB contract address is https://bscscan.com/address/0x157822aC5fa0Efe98daa4b0A55450f4a182C10cA.
2. The attacker set up a malicious oracle for rBNB, and the contract address is https://bscscan.com/address/0xd55f01b4b51b7f48912cd8ca3cdd8070a1a9dba5.
The deployed malicious oracle address is https://bscscan.com/address/0xA36F6F78B2170a29359C74cEFcB8751E452116f9, and its decompiled code is as follows:
As shown in the decompiled code, the oracle returns a price that is written as a large constant.
3. The attacker then borrowed against rUSDC, rBTC, rDAI, rUSDT, and rBUSD contracts. Due to the previous deployment of the malicious oracle, rBNB was considered to have a high value and could borrow all the coins in the pool. Then, the attacker swapped them for BNB on Pancake, resulting in a total profit of approximately 2571 BNB.
4. The attacker sent the BNB to Tornado.Cash:
This attack was caused by the lack of authorization in the setOracleData function in the SimplePriceOracle contract file of the Rikkei Finance project. The function can be called arbitrarily. The attacker added a malicious oracle contract to SimplePriceOracle through the setOracleData function. During lending and borrowing, the attacker’s small amount of collateral was considered to have high value because the price of the collateral was obtained from the malicious oracle contract. This allowed the attacker to borrow all of the USDC, BTC, DAI, USDT, BUSD in the Rikkei Finance pool with only a small amount of collateral. The SlowMist Security Team recommends paying attention to the access control of functions when developing contract code, such as using the Ownable.sol contract provided by OpenZeppelin.
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.