DeFi Protocol ‘Fortress Lending’ Exploited for $3 Million

The Fortress decentralised finance (DeFi) protocol – a crypto borrowing and lending platform – has seen an estimated US$3 million of its funds drained. The Binance Smart Chain (BSC)-based platform fell victim to an oracle attack last weekend with the loss of “all funds”:

Price Oracle Targeted by Hackers

Both PeckShield and BlocSec have noted that the oracle used by Fortress “can be hijacked by anyone due to the lack of power verification”. PeckShield also warned the oracle network Umbrella about its involvement in the incident. This exploit could be used against anyone using the same Umbrella oracle, the firms warned.

In response, Umbrella released its own statement saying it was “aware of the recent exploits that may have stemmed from an Umbrella Network price feed error”.

The attacker was able to call the function and change the price of the native Fortress token (FTS) manually, then buy a large enough amount of FTS to pass a vote for a proposal to allow FTS tokens to be taken as collateral. As a result, the attacker used 100 FTS as collateral to borrow all other assets in the protocol.

The stolen 1,048.1 ETH and 400,000 DAI were then promptly bridged to the Ethereum network and washed through TornadoCash.

FTS Price Takes a Tumble

Considering the market-wide crash that’s been happening during the hack, Fortress’s native token has taken quite a beating, dropping over 60 percent in the past two weeks and down 99 percent over the past year, according to CoinGecko:

Hackers have been a major thorn in the side of the DeFi sector this year. According to PeckShield, as of the beginning of May more than US$1.57 billion in cryptocurrency had been stolen from DeFi platforms in 2022:

During the past week alone, Rari Capital was hacked for more than US$80 million and MM.Finance for US$2 million, only adding to the year’s negative tally.