Beosin’s Detailed Analysis of Fortress’s Oracle Manipulation Attack

On May 9, 2022, according to Beosin EagleEye, Fortress’s Chain contract of FortressPriceOracle was exploited for about 1028.1 ETH and 400,000 DAi by an oracle manipulation attack. Beosin security team analyzed the incident and the findings are shown below.

Fortress Introduction

Fortress Credit and Lending (Fortress) is an algorithmic money market and synthetic stable coin protocol designed to bring secure and trustless credit and lending to users. The official website: https://fortress.loans/

Relevant Information

Transaction hash:

0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf

Hacker address:

0xa6af2872176320015f8ddb2ba013b38cb35d22ad

Hacker contract:

0xcd337b920678cf35143322ab31ab8977c3463a45

Victim contract:

0x00fcF33BFa9e3fF791b2b819Ab2446861a318285

Exploitation Flow

1. The attacker withdraws 20ETH from Tornado.cash, deposits 12.4ETH into Celer network and then transfers to the attack contract.

2. The attacker uses the deployed contract to submit a malicious price to make the FTS value extremely high, and then uses the increased value of the FTS to swap out all tokens from FBep20Delelgator.

3. The attacker submits a change in the FTS price when launching the attack, at which point the Oracle calls the function in the chain to get the price.

4. Chain’s submit function used for dpos permissions validation is commented, and the value of power = 0. As long as the signature is passed, any address can successfully submit and change the price.

5. The attacker finally swaps the stolen funds into ETH.

Vulnerability Analysis

This attack mainly exploits the vulnerability that the data source Chain obtained by Oracle does not validate power, thus manipulating the collateral price.

Fund Tracing

As of this writing, the attack contract was self-destructed. The stolen 1048.1 ETH and 400,000 DAI were deposited into TornadoCash.

Summary

In response to this incident, Beosin security team recommends:

1. Validating the source of the price data acquired by Oracle is important. It is recommended to use TWAP.

2. Before the project goes live, it is highly recommended to choose a professional security audit company for a comprehensive security audit to avoid security risks.

More

1. VaaS — Automatic Detection Tool , Make Your Smart Contract Secure In Web3.0

2. How to Ensure the Security of NFT Under the Web 3.0 Boom?

3. DEUS Finance Suffered its Second Flashloan Attack This Year: Beosin’s Detailed Analysis

4. Beosin Has Completed Security Audit Service of Crypto LEGO ALG

5. Beosin Has Completed Security Audit Service of MasterChefV2 and cake-pool Contracts in PancakeSwap

6. 「RECAP」AMA About How to Keep Your Smart Contract Secure During Development With Beosin VaaS

Contact

If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

• OKEx vs KuCoin | Celsius Alternatives | How to Buy VeChain

• Binance Futures Trading | 3Commas vs Mudrex vs eToro

• How to buy Monero | IDEX Review | BitKan Trading Bot

• CoinDCX Review | Crypto Margin Trading Exchanges

• Red Dog Casino Review | Swyftx Review | CoinGate Review

• Bookmap Review | 5 Best Crypto Exchanges in the USA