$250 000 USD

JANUARY 2022

GLOBAL

RARI CAPITAL

DESCRIPTION OF EVENTS

"Float Protocol, DeFi Money. Decentralised Finance needs stability, but we can do better than the dollar.

 

FLOAT tracks a basket of digital assets instead of trying to exactly match the price of a dollar. It is designed to change value over time corresponding to your digital purchasing power."

 

"Float Protocol Pool 90 on @RariCapital pool suffered effects from a lack of liquidity in the Uniswap V3 FLOAT/USDC oracle which lead to severe price manipulation."

 

"Our @RariCapital pool just experienced effects from a weak oracle. We're looking into the issue and will update with more information shortly."

 

"The attacker brought in >47 ETH via Tornado Cash and deployed an orchestrating contract."

 

"Via the contract they swapped 47 ETH -> 129,447 USDC -> 77.5k FLOAT; this brought the vast majority of FLOAT out of the pool dramatically increasing the price within the FLOAT/USDC pool."

 

"The attacker waited for 2-7 minutes for the time weighted oracles to shift the price."

 

"At this point they were then able to deposit FLOAT into Rari Fuse at a vastly increased rate and borrow other assets, before selling the FLOAT back into the Uniswap V3 pool to return the price."

 

"The orchestrating contract still contains 250k USDC and 5 fFLOAT."

 

"Lack of liquidity in the Uniswap V3 FLOAT/USDC oracle allowed an attacker to manipulate the prices within the pool, then deposit it at a much higher rate. The hacker pulled about 350 ETH (equivalent to $1.1 million) out of the pool, though according to PeckShield they later returned around $250,000 for some reason."

 

"The depositors primarily impacted were Float Protocol's treasury diversification funds, FRAX AMO, and FEI PCV deposits."

 

"As such we currently calculate there was 1 depositor of $25k DAI in user funds lost at this time, but are still collecting further information for a follow up proposal."

Float Protocol's liquidity pool had limited liquidity, and was used by Rari Fuse to determine the eligibility to borrow assets. An attacker manipulated the price through a large purchase, then took out a loan using the inflated value, profiting $250k+ after all was said and done. It appears that the funds were ultimately returned.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.