Sovryn – a Bitcoin-based decentralized finance protocol – was drained of over $1 million in funds on Tuesday using a price manipulation exploit.
The attack allowed the culprit to drain over $1 million worth of crypto from the protocol, including 44.93 RBTC and 211,045 USDT.
According to Sovryn’s blog post on the topic, the attacks specifically targeted the legacy Sovryn Borrow/Lend protocol. It impacted the RBTC and USDT lending pools.
RBTC and USDT are crypto assets price pegged to Bitcoin and US dollars respectively. In this case, they circulate on Rootstock (RSK), a Bitcoin sidechain meant to expand Bitcoin’s smart contract, dapp, and scaling capabilities. Sovryn is a Defi protocol built on RSK.
Some of the funds were apparently withdrawn using Sovryn’s AMM swap function, meaning the attacker ended up with several different tokens. The effort to recover funds is still ongoing.
“Due to the multi-layered security approach taken, devs were able to identify and recover funds as the attacker was attempting to withdraw the funds,” reads the post. “At this point, through a combined effort, devs have managed to recover about half the value of the exploit.”
Sovryn spokesperson Edan Yago said this is the first successful exploit against the protocol after two years of operation. He maintained that Sovryn is “one of the most heavily audited Defi systems,” with valuable and active bug bounties.
The exploit worked by manipulating Sovryn’s iToken price – interest-bearing tokens representing the share of cryptocurrency a user holds in a lending pool. This token’s price is updated every time a lending pool position is interacted with.
First, the attacker bought WRBTC (wrapped RBTC) using a flash swap in RskSwap. Then, he borrowed additional WRBTC from Sovryn’s lending contract using his own XUSD (another stablecoin) as collateral.
“The attacker then provided liquidity to the RBTC lending contract, closed their loan with a swap using their XUSD collateral, redeemed (burned) their iRBTC token, and sent the WRBTC back to RskSwap to complete the flash swap,” the post continued.
The entire process manipulated the iToken price such that the attacker could withdraw far more RBTC from the lending pool than was first deposited.
Sovryn clarified that user funds have not been affected by the hack. Any missing value from the lending pools will be reinjected by Exchequer – the Sovryn treasury.