According to Cointelegraph: Raft, a decentralized U.S. dollar stablecoin protocol, experienced a security exploit last week, resulting in a loss of $6.7 million. Surprisingly, this vulnerability wasn't detected in the multiple security audits completed by blockchain security firms Trail of Bits and Hats Finance.
According to the protocol’s post-mortem report, a hacker borrowed 6,000 Coinbase-wrapped staked Ether (cbETH) from the decentralized finance protocol Aave, transferred it to Raft, and minted 6.7 million Raft stablecoins using a smart contract glitch. These coins were swapped via Balancer and Uniswap liquidity pools, earning the hacker $3.6 million. Meanwhile, the Raft stablecoin lost its dollar peg following the attack.
A precision issue during the minting of share tokens was the root cause, allowing the hacker to acquire extra share tokens and manipulate the index value to increase their worth.
Following the Nov. 10 incident, Raft filed a police report, and it's now cooperating with centralized exchanges to trace the stolen funds. The smart contracts of Raft have been placed on hold, although R minters maintain the ability to repay their positions and claim their collateral.
Decentralized stablecoins are usually backed by users' crypto deposits as collateral. Last December, the HAY stablecoin similarily unpegged following a hack that exploited a smart contract glitch and minted 16 million HAY without appropriate collateral. However, the HAY stablecoin regained some pegging due to a collateralization ratio requirement of 152% at the exploitation-time for risk management.
