Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$250 000 USD

JANUARY 2022

GLOBAL

RARI CAPITAL

DESCRIPTION OF EVENTS

"Float Protocol, DeFi Money. Decentralised Finance needs stability, but we can do better than the dollar.

 

FLOAT tracks a basket of digital assets instead of trying to exactly match the price of a dollar. It is designed to change value over time corresponding to your digital purchasing power."

 

"Float Protocol Pool 90 on @RariCapital pool suffered effects from a lack of liquidity in the Uniswap V3 FLOAT/USDC oracle which lead to severe price manipulation."

 

"Our @RariCapital pool just experienced effects from a weak oracle. We're looking into the issue and will update with more information shortly."

 

"The attacker brought in >47 ETH via Tornado Cash and deployed an orchestrating contract."

 

"Via the contract they swapped 47 ETH -> 129,447 USDC -> 77.5k FLOAT; this brought the vast majority of FLOAT out of the pool dramatically increasing the price within the FLOAT/USDC pool."

 

"The attacker waited for 2-7 minutes for the time weighted oracles to shift the price."

 

"At this point they were then able to deposit FLOAT into Rari Fuse at a vastly increased rate and borrow other assets, before selling the FLOAT back into the Uniswap V3 pool to return the price."

 

"The orchestrating contract still contains 250k USDC and 5 fFLOAT."

 

"Lack of liquidity in the Uniswap V3 FLOAT/USDC oracle allowed an attacker to manipulate the prices within the pool, then deposit it at a much higher rate. The hacker pulled about 350 ETH (equivalent to $1.1 million) out of the pool, though according to PeckShield they later returned around $250,000 for some reason."

 

"The depositors primarily impacted were Float Protocol's treasury diversification funds, FRAX AMO, and FEI PCV deposits."

 

"As such we currently calculate there was 1 depositor of $25k DAI in user funds lost at this time, but are still collecting further information for a follow up proposal."

 

Explore This Case Further On Our Wiki

Float Protocol's liquidity pool had limited liquidity, and was used by Rari Fuse to determine the eligibility to borrow assets. An attacker manipulated the price through a large purchase, then took out a loan using the inflated value, profiting $250k+ after all was said and done. It appears that the funds were ultimately returned.

@ErgoBTC Twitter (Mar 15)
An attacker pulls about 350 ETH from Float Protocol's Rari Capital pool (Jan 30)
@FloatProtocol Twitter (Jan 30)
@peckshield Twitter (Jan 30)
Snapshot (Jan 30)
https://etherscan.io/tx/0x40db7bd89d2a3f7df2793ba4f5be9a2ca93463d6bb6af024e5cd1b73ff827248 (Jan 30)
Float Protocol (Jan 30)

Sources And Further Reading

More case studies

OpenSea Forced Sale
By Old Listing

Michael Saylor
Giveaway Scam

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2026 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.