OneRing Finance -After the Hack: A Recap and Solutions.
IMPORTANT NOTE: $RING token is completely safe and has not been involved in the hack, none of the liquidity pools have suffered. Only the OShare contract was exploited. Our multiple farming opportunities in the Fantom space are also safe.
We are really sad about what happened in the last hours, this is not a post we thought we would ever have to write however we must make an official announcement:
Today (March 21st 2022) at 06:44:10 PM UTC an unknown hacker managed to steal 1,454,672.244369 USDC ($1,454,672.24) via flashloan attack.
The hacker stole the funds using the following wallet address.
The hacker set up an specific contract to perform the exploit, you can check it out here.
As you may have noticed, the contract has been configured to self-destruct at a specific block, making it almost impossible to track what specific functions from our contracts were called in order to steal the funds. This only tells us that the hacker is a professional, and since we were the only protocol being exploited, this attack was planned.
Events Analysis
We want to thank PeckShield for their quick response and support.
At the time of the attack, the attacker was fully prepared. Before the attack the hacker has moved funds needed for gas through the Celer Network cBridge.
15 minutes later the attacker deployed the contract that was used to drain funds from OneRing. This contract has been self-destructed however we are already working with node providers in order to get the information of the block where the contract was deployed. We believe we can find the bytecode, decompile it and at least have a brief idea on how this contract was structured.
The hack was made possible due to a flashloan-assisted price manipulation of the LP tokens, this led to a larger number of OShare tokens being moved from the protocol.
Right after contract deployment the hacker borrowed $80’000,000 USDC using Solidly flashloans to increase the price of our underlying LP tokens in the span of a block, this changed OShare’s price and drove a large amount of OShare tokens out of the protocol.
Our friends at PeckShield provided us with more clear analysis of what happened. To illustrate we show the transaction where the exploit took place with the key steps:
You can track the attack in this transaction: https://ftmscan.com/tx/0xca8dd33850e29cf138c8382e17a19e77d7331b57c7a8451648788bbb26a70145
These actions resulted in a loss of $1,454,672.24 USDC. You can check the final transaction here. However from swap fees and flashloan fees ($80Mill) another $500k USD were lost. The protocol lost ≈$2'000,000 in total.
Using that information we then tried to track down the hacker’s address. Going to his Ethereum address shows us that his wallet was originally funded from Tornado Cash, as you may know, this makes it almost impossible to track the wallet he used to fund the recently created one.
When funds were stolen they were moved from Fantom back to Ethereum and again into Tornado Cash.
We looked for any mentions of this address anywhere or any activities of this wallet outside of this hack. Unfortunately, it seems to be that this wallet didn’t leave any traces. It was as clean as a wallet can be and the funds now disappearing in Tornado Cash limits us from opportunities of contacting exchanges and any parties that could stop potential withdrawals from this hacker. We will however keep trying to track the hacker down.
Moving Forward:
Team will be using this Medium as a post-mortem and the main source for updating our community.
Main areas of focus right now are:
- Vault status: Our vault has been paused and we are working on setting things back up again.
- Analysis, Debugging, Fixes: We have been working for many hours to fix the issues that allowed the hacker to perform this actions, we have been collaborating with many qualified developers and protocols in order to clean all our code, this was completely unexpected, even for some senior developers that reviewed our code before.
- Repayments through Protocol Treasury : The team is working on a plan to provide a concrete mid-long term repayment plan for those affected.
- Bounty: We understand this is a longshot but we are offering the hacked 15% of the stolen funds plus 1,000,000 RING tokens as a bounty for returning the funds.
Short-term plan now?
As stated above we are working on numerous areas to fix the code, redeploy smart-contracts, move forward with a repayment plan and start building up again.
Is the $RING token Safe?
The $RING token is completely safe and hasn’t been involved in the hack, none of the liquidity pools have suffered. Only the oShare tokens were exploited.
Our multiple farming opportunities in the Fantom space are also as safe as before, Spookyswap, Spiritswap, Beethoven and all our partners are safe to use.
We won’t stop working. That’s for sure.
*This post will be updated often so please stay tuned*
Thanks for your support.
- OneRing Finance Team.
