Rikkei Oracle Replace
Total Losses
$1.0M+
Date
Network
Categories
access controlStep-by-step
- Call
setOracleData
to set your own oracle for a token - Take favorable loans using the malicious price
Detailed Description
The Rikkei Oracle contract did not prevent someone from calling their setOracleData
function.
function setOracleData(address rToken, oracleChainlink _oracle) external {
oracleData[rToken] = _oracle;
}
Once a malicious oracle is set (the attacer’s is here), the attacker can get loans for a monstruous amount of money with little to no collateral.
The attacker:
- Put 0.0001 BNB to get 4995533044307110.024 rBNB.
- Took a loan of 346199.781 USDC with the rBNB.
- Exchanged the USDC for 776.298 WBNB
- Repeated this process with all stablecoins available
- Restored Oracle
- Exit the WBNB through Tornado Cash
Possible mitigations
- The
setOracleData
had to be eitherinternal
or authenticated.