In the latest exploit, DeFi protocol Raft has lost approximately $3.3 million in ETH to the hacker abusing its R stablecoin. Raft shared a post confirming the vulnerability and paused the minting of R stablecoin.
In order to execute the exploit, the hacker created a set of interconnected contracts, used just 2 cbETH initially, and minted 3000 R. Then the hacker took a 1000 ETH flash loan to exploit the inflation index logic.
However, unlike other exploits where stolen funds are sent to crypto mixers, this time it seems unusual. While receiving 1577 ETH through exploiting Raft, the hacker pulled 18 ETH from the crypto mixer Tornado Cash. The hacker surprisingly burned 1570 ETH in a subsequent transaction and is now only left with 14 ETH.
The hacker has apparently taken a loss of 4 ETH if additional ETH sent via Tornado Cash is subtracted.
Igor Igamberdiev, the Head of Research at Wintermute, said that the code for converting R to ETH was called from a separate contract, which also had a parent contract with no receiver contract detail. “So, instead of sending ETH to the attacker, coins went to the null address, which has no private key,” Igor said.