Sovryn hacked for $1M a Bitcoin-based decentralized finance technology, was plundered on Tuesday.
The hacker stole 44.93 RBTC and 211,045 USDT from the protocol.
Sovryn’s First Hack
Sovryn said in a blog post about the issue that the attacks were aimed at the legacy Sovryn Borrow/Lend protocol. It had an effect on the lending pools for RBTC and USDT.
The prices of RBTC and USDT are tied to those of Bitcoin and US dollars, respectively. In this case, they move around on Rootstock (RSK), a Bitcoin sidechain that is meant to expand Bitcoin’s smart contract, dapp, and scaling capabilities. Sovryn is a protocol for Defi that is built on RSK.
Some of the money was reportedly taken out using Sovryn’s AMM swap function, so the attacker ended up with more than one token. The work to get the money back is still going on.
“Because of the multi-layered security approach, developers were able to find the attacker and get the money back as he tried to withdraw it,” the post says. “At this point, developers have worked together to get back about half of the value of the exploit.”
Sovryn’s Edan Yago stated this is the first successful attack in two years. Sovryn has lucrative and used bug bounties, therefore it’s “one of the most heavily audited Defi systems.”
Read More: The FBI advises DeFi investors to do this.
The attack succeeded because Sovryn’s iTokens were revalued. iTokens represent a user’s crypto lending pool share. This token’s price changes whenever a lending pool position is used.
How the Money Was Spent
Sovryn hacked for $1M, The attacker first used a flash swap in RskSwap to purchase WRBTC (wrapped RBTC). Further WRBTC was obtained using Sovryn’s loan contract, with the borrower pledging his personal supply of XUSD (another stablecoin) as security.
During the whole process, the iToken price was changed so that the attacker could take out a lot more RBTC from the lending pool than was originally put in.
Sovryn made it clear that the hack hasn’t hurt user funds. If there is money missing from the lending pools, the Sovryn treasury, Exchequer, will put it back in.