Skip to content
This repository has been archived by the owner on May 27, 2024. It is now read-only.

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

Rikkei Oracle Replace

Step-by-step

  1. Call setOracleData to set your own oracle for a token
  2. Take favorable loans using the malicious price

Detailed Description

The Rikkei Oracle contract did not prevent someone from calling their setOracleData function.

    function setOracleData(address rToken, oracleChainlink _oracle) external {
        oracleData[rToken] = _oracle;
    }

Once a malicious oracle is set (the attacer's is here), the attacker can get loans for a monstruous amount of money with little to no collateral.

The attacker:

  1. Put 0.0001 BNB to get 4995533044307110.024 rBNB.
  2. Took a loan of 346199.781 USDC with the rBNB.
  3. Exchanged the USDC for 776.298 WBNB
  4. Repeated this process with all stablecoins available
  5. Restored Oracle
  6. Exit the WBNB through Tornado Cash

Possible mitigations

  • The setOracleData had to be either internal or authenticated.

Diagrams and graphs

Entity and class diagram

PlantUML

Sources and references