- Blockbasis
- Posts
- Rho Market: $7.5 Million Oracle Exploit Revealed
Rho Market: $7.5 Million Oracle Exploit Revealed
Rho Market Oracle Misconfiguration Leads to $7.5 Million Exploit: Analyzing the Impact on Layer 2 Decentralization and Future Implications for Blockchain Infrastructure
Blockbasis
July 23, 2024
TL;DR
A misconfiguration in Rho Market’s oracle allowed an MEV bot to exploit a price discrepancy, resulting in a $7.5 million loss. The funds were returned after the attacker demanded acknowledgment of the error and preventive measures. This incident revealed flaws in Layer 2 solutions, prompting concerns about their decentralization compared to Layer 1 systems.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
A seemingly minor misconfiguration in Rho Market's oracle configuration on July 19th quickly turned into a significant $7.5 million opportunity for a vigilant MEV bot.
The bot, operating within the Scroll-based protocol, exploited the flaw with remarkable speed.
The decentralized finance (DeFi) sector is known for its high-stakes nature, where even the smallest errors can result in enormous financial losses.
In this environment, millions can disappear almost instantaneously due to such oversights.
In this digital realm, MEV bots function as modern-day gunslingers, their sophisticated algorithms ready to exploit any vulnerability in protocols.
These bots are always on the lookout for any lapse that could grant them access to valuable assets.
However, the scenario becomes more complex when the bot that exploits the vulnerability offers to return the ill-gotten gains.
This raises the question of morality in the digital financial frontier: if the attacker proposes to restore the funds, does it still qualify as an exploit?
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
Oracles act as the vital information providers for smart contracts, delivering essential off-chain data to on-chain systems. When these digital data sources fail, it can lead to significant disruptions.
Rho Market, a fork of Compound Finance, held around $38 million in assets just before the exploit, according to DeFiLlama.
The incident comes on the heels of last week's panic over front-end hijacking incidents on popular DeFi platforms, with Compound being a notable target.
In this case, the misconfigured oracle at Rho Market allowed an MEV bot to manipulate price data. This manipulation created an arbitrage opportunity, resulting in the loss of $7.5 million from the protocol within minutes.
The incident was first reported by CJ the “Doughnut”, who highlighted the draining of USDC and USDT from the platform.
CJ identified a possible attacker’s address, revealing a gain of $7.5 million in a few hours.
In response to the unusual activity, Rho Markets paused its platform to prevent further losses.
We've detected unusual activity on our platform and are currently investigating it. During this time, we will be pausing the platform. Most of the pools are safe, so there is no need to worry. We will keep the community updated on the progress of our investigation. The platform… x.com/i/web/status/1…
— Rho Markets📜 | Rho.scroll (@RhoMarketsHQ)
10:46 AM • Jul 19, 2024
The incident also led Scroll, the Layer 2 network hosting Rho Market, to temporarily halt its operations. This swift action aimed to protect the integrity of the network and its users.
ZachXBT noted that “ Exploiter has a ton of exposure to centralized exchanges so would say there’s a good probability this gets recovered and they are gray or white hat”.
Zach’s assessment proved accurate, as he soon shared an on-chain message from the attacker:
“Hello RHO team, our MEV bot have profited from your price oracle misconfiguration. We understand that the funds belong to users and are willing to fully return. But first we would like you to admit that it was not an exploit or a hack, but a misconfiguration on your end. Also, please provide what are you going to do to prevent it from happening again?”
True to their word, the funds were returned shortly after.
Rho Markets confirmed that the issue was resolved without any loss of funds and announced that they are currently reallocating funds back to the borrow pools.
Dear Rho Fams,
We are thrilled to announce that the issue has been successfully resolved, no fund get LOST, and we are currently in the process of reassigning funds back to the borrow pools.
Moving forward, we have outlined the following three meticulously planned steps in… x.com/i/web/status/1…
— Rho Markets📜 | Rho.scroll (@RhoMarketsHQ)
4:38 PM • Jul 19, 2024
In response to the incident, Rho Markets has implemented a three-step plan:
Carefully identify the accounts that were providing funds during the oracle malfunction.
Systematically restore funds to the USDC, USDT, and wstETH pools to ensure affected balances are fully replenished.
Gradually reinstate borrowing and transfer functions, maintaining strict security protocols throughout the process.
Rho Markets had previously undergone an audit by Dedaub in May of this year.
The audit identified a medium-severity issue (Section M2) in the protocol's oracle implementation. It pointed out that the oracle did not adequately verify the timeliness of price data from Chainlink, which could lead to the use of outdated prices during oracle downtimes, potentially causing inconsistencies in the protocol.
There is no confirmation if this issue contributed to the recent exploit.
In the blockchain space, where censorship resistance and permissionless access are fundamental principles, such incidents highlight the vulnerabilities in the current infrastructure.
While Rho Market was fortunate to have a benevolent bot operator return the funds this time, there is no guarantee that future white-hat hackers will be as generous.
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
The recent DeFi incident not only highlighted issues with oracle misconfigurations but also rekindled discussions about decentralization in Layer 2 (L2) solutions.
Rho Market's mistake led to Scroll halting its chain, prompting Sudo to criticize L2s. He suggested that these solutions, which claim to be permissionless and censorship-resistant, may be merely trying to attract venture capital, making Layer 1 (L1) Ethereum's genuine decentralization appear more compelling.
Hold my beer - so RhoMarket (some project on Scroll) fucks up and Scroll halts the chain? Listen guys, censorship-resistance and permissionless ain't optional; it's a fucking imperative! I'm done with this nonsense. It's 2024, and L2s are still peddling the same garbage about… x.com/i/web/status/1…
— sudo rm -rf --no-preserve-root / (@pcaversaccio)
1:16 PM • Jul 19, 2024
L2 operators now face a dilemma: they must choose between censoring transactions to protect funds and risking accusations of centralization, or maintaining their commitment to permissionless principles at the expense of user security.
As centralized sequencers and provers become more common in Layer 2 (L2) solutions, concerns about liability are increasing. Operators of these systems may become central points of failure, vulnerable to legal and regulatory pressures.
Although Layer 2 solutions are designed to offer scalability and decentralization, there is a critical question: Are these advancements truly creating a censorship-resistant future, or are they simply more efficient versions of the traditional systems we sought to improve?