Rho Markets Price Oracle Misconfiguration
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Rho Markets is a protocol allowing users to lend out specific blockchain assets such as pufETH, ezETH, as well as mainstream assets including ethereum and bitcoin. On July 19th, 2024, there was a confguration issue where the team mixed up bitcoin and ethereum pricing in their oracle, which allowed a MEV bot to make a considerable profit due to the issue. The funds were ultimately returned and redistributed to users, with the cooperation of the bot owner.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21]
About Rho Markets
"Rho Market is the liquidity layer build on Scroll, based an overcollateralized lending model, we also bring & leverage LRT Assets yield in Scroll." "Rho Market primarily offers liquidity for users, including LRT assets such as pufETH, ezETH, as well as mainstream - ETH & BTC." "RHO, is poised to become a central liquidity layer, supporting ongoing projects and emerging Layer 3 solutions on the Scroll platform."
"Rho is more than just a liquidity hub, it's a harbinger of financial revolution" "The protocol employs robust security Modules to protect user funds. By prioritizing security, the Rho Market community can confidently lend and borrow digital assets." "Any changes require on-chain governance proposals. This ensures alignment with community interests and eliminates single points of failure." "LRT assets lending is supported. Users can stake $RATE to earn higher yields. Through multiple LSD/LRT yield layers, the staking APR can reach up to 50%." "Through integration with the Sign Protocol and Plaid, Rho Market facilitates lending, repayment, and liquidation processes with funds directly from USD bank accounts."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 19th, 2024 4:13:00 AM MDT | Doughnut Reporting | CJ the doughnut reports on the exploit which has presently taken all of the USDT and USDC from the protocol. |
| July 19th, 2024 4:46:00 AM MDT | Rho Markets Tweet | Rho Markets posts a tweet to inform their community that they have "detected unusual activity on [their] platform and are currently investigating it". The platform is presently paused. |
| July 19th, 2024 6:26:00 AM MDT | Scroll Blockchain Paused | "To thoroughly assess the situation, Scroll decided to temporarily delay the finalization of the chain." |
| July 19th, 2024 8:42:33 AM MDT | On Chain Contact | The MEV bot which profited from the misconfiguration releases an on-chain message. They request that the Rho Market stop referring to the situation as an exploit and take full responsibility for their misconfiguration error. |
| July 19th, 2024 8:49:02 AM MDT | Fund Return Transaction | The funds are returned via a blockchain transaction on the scroll network. |
| July 19th, 2024 10:30:00 AM MDT | Path Forward Announced | The Rho Markets team announces the path forward and that no funds have been lost. They will be restoring after identifying accounts supplying funds, restoring pool balances, and then carefulyl relaunching. |
| July 20th, 2024 4:42:00 AM MDT | Resumption In 4 Hours | The team announces that they anticipate relaunching the protocol within 4 hours. |
| July 20th, 2024 6:26:00 PM MDT | Relaunch Announcement | The team announces a relaunch and notes that they need a break after having worked for 34 hours non-stop. |
| July 24th, 2024 1:53:52 AM MDT | Security Incident Report | Rho Markets publishes a security incident report on their Medium account. |
| July 24th, 2024 6:03:00 AM MDT | Security Incident AMA | Rho Markets announces a security incident AMA session where any questions can be asked about what happened. |
| July 27th, 2024 1:00:00 AM MDT | New Chapter Announcement | Rho Markets announces a new chapter in a tweet. They are "committed to placing an even greater emphasis on safeguarding your assets and ensuring your peace of mind". They have "launched the RXP (Rho Markets Royalty Points) compensation boost program. Based on your asset supply and borrowing activities on Rho Markets during the incidents, we are delighted to offer a three-day boost at 3X the rate for suppliers and a three-day boost at 4X the rate for borrowers." |
| July 29th, 2024 11:20:29 PM MDT | Rho Markets Tweet | Rho Market tweets further on the situation. TBD. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $5,164,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"On July 19, 2024, shortly after updating the smart contract for a new market launch, Rho Markets identified that the price oracles for ETH and BTC were providing contradictory price feeds due to a misconfiguration in the deployment script. This issue resulted in the prices of BTC and ETH being reversed, creating arbitrage opportunities for MEV bots. Due to the incorrect oracle pricing, assets including USDC, USDT, wstETH, STONE, and wrsETH were borrowed up to their borrowing caps. The estimated total amount affected is approximately $7.6 million. The incidence took place on Scroll, impacting assets such as USDC, USDT, ETH, wstETH, and others. The MEV bot borrowed approximately $7.6 million worth of assets using a minimal amount of collateral in ETH."
"The vulnerability arose from a misconfiguration that allowed ETH suppliers to mint rETH at the BTC oracle price and use it as collateral within the Rho Markets protocol, resulting in a 20X increase in the actual value of ETH. This issue occurred due to the erroneous configuration of the ETH oracle price feed to the BTC price feed. Normally, such settings are validated before any changes are implemented. However, due to a human error in overseeing the deployment process, this validation check was missed in the case of the oracle price."
"Upon detecting the security vulnerability, our team immediately activated the incident response plan and successfully disabled all vulnerable components on the protocol, thereby containing the threat. With the assistance of security professionals from SEAL 911, we promptly communicated with the MEV wallet address and received a positive response. Within the next six hours, 100% of the funds were returned from the MEV address."
"Hello RHO team, our MEV bot have profited from your price oracle misconfiguration. We understand that the funds belong to users and are willing to fully return. But first we would like you to admit that it was not an exploit or a hack, but a misconfiguration on your end. Also, please provide what are you going to do to prevent it from happening again."
Ultimate Outcome
"Moving forward, we have outlined the following three meticulously planned steps in response to the recent events:
1. Thoroughly identify the accounts that were actively supplying funds during the period when the oracle encountered issues.
2. Methodically replenish the funds into the USDC/USDT/wstETH pools, ensuring a seamless restoration of the affected balances.
3. Methodically reinstate the borrowing and transfer functionalities, adhering to stringent security protocols throughout the process.
Rest assured, our team is diligently executing these steps to reinstate normalcy, reinforce the integrity of our system, and safeguard the interests of our valued users."
"Our security measures have been functioning as intended. The incident occurred due to a human error in managing the deployment process. To avoid similar issues in the future, we are undertaking a thorough review and overhaul of our deployment procedures."
"Rho Markets is dedicated to ensuring the security of our protocol and user assets. Beyond our existing multi-step deployment review process, we are going to implement additional security policies and measures to prevent future incidents, including:
Thorough testing on Tenderly Fork: We will test any upgrades on a Tenderly fork if we need to update the price oracles or other changes to the protocol. Meticulous Review Process: We will review each step meticulously to verify configuration setups, price oracles, and other relevant settings. Clean Deployment Environment: We will ensure our deployment environment is clean by initiating new environments for each deployment and upgrade Enhanced Verification: We will work with security teams to verify all deployments are correct before mainnet deployment. Bounty Programs through Immunefi"
Total Amount Recovered
The total amount recovered has been estimated at $5,164,000 USD.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Rekt - Rho Market - Rekt (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ Rho Markets Security Incident Report (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ @RhoMarketsHQ Twitter (Accessed Aug 7, 2024)
- ↑ @Scroll_ZKP Twitter (Accessed Aug 7, 2024)
- ↑ Scroll Transaction Hash (Txhash) Details | Scrollscan (Accessed Aug 7, 2024)
- ↑ DeBank | The Real User Based Web3 Community (Accessed Aug 7, 2024)
- ↑ Rho Markets (Accessed Jun 10, 2024)
- ↑ https://www.rhomarkets.xyz/ (Accessed Jun 10, 2024)
- ↑ Scroll Transactions Information | Scrollscan (Accessed Aug 7, 2024)
- ↑ @zachxbt Twitter (Accessed Aug 7, 2024)
- ↑ DeBank | The Real User Based Web3 Community (Accessed Aug 7, 2024)
- ↑ @CJCJCJCJ_ Twitter (Accessed Aug 7, 2024)
- ↑ Scroll Transaction Hash (Txhash) Details | Scrollscan (Accessed Aug 7, 2024)