Ethereum layer-2 network Scroll has temporarily halted its chain finalization following a significant security breach at Rho Markets, a decentralized finance (DeFi) protocol on its platform. The incident resulted in the loss of approximately $7.6 million worth of USDC and USDT.
The Exploit
On July 19, Rho Markets detected unusual activity and suspended operations to investigate the issue. Blockchain security firm Cyvers Alert identified the root cause as a breach in the protocol’s oracle access control by a malicious actor. According to Cyvers, the attacker managed to manipulate the oracle to drain Rho Markets’ stablecoin reserves and withdraw more than double the collateral posted in Ether (ETH).
DeBank’s dashboard revealed that the exploiter’s wallet contains 2,203 ETH, valued at $7.5 million, along with other assets like Mantle’s MNT, Binance’s BNB, and Fantom’s FTM tokens.
Scroll’s Response
In response to the breach, Scroll Network announced it would delay chain finalization to conduct a thorough assessment of the situation. The team coordinated with Rho Markets to address the exploit and mitigate any further risk to user funds. Scroll emphasized that the exploit was application-specific and not a vulnerability within the Scroll network itself.
Community Reaction
The decision to delay chain finalization has sparked a debate about the principles of decentralization within the crypto community. Critics argue that such actions contradict the decentralized ethos, while supporters believe the move was necessary to protect users’ assets. Andy, co-founder of The Rollup, commented:
Until things are close to being maximally decentralized, I think pausing state finalization to prevent user funds being lost is right. Especially for an ecosystem project that is trying to innovate. I don’t know what this says about Scroll’s censorship resistance, though.
Potential Whitehat Activity
Interestingly, the attacker has expressed a willingness to return the stolen funds, suggesting that this might be an act of a whitehat hacker. On-chain messages shared by blockchain investigator ZachXBT indicate the attacker’s intentions:
Hello RHO team, our MEV bot profited from your price oracle misconfiguration. We understand the funds belong to users and are willing to fully return them. But first, we would like you to admit it was a misconfiguration, not an exploit or hack. Also, please explain how you will prevent this from happening again.
Broader Implications
This exploit marks another significant blow to the crypto industry, following closely on the heels of a $230 million hack of the Indian cryptocurrency exchange WazirX. The second half of July has been particularly lucrative for crypto hackers, underscoring the need for enhanced security measures within the DeFi space.
Security experts advise that DeFi builders treat vulnerabilities like rounding errors in oracles as non-trivial and implement robust unit and fuzz testing to prevent future exploits.
As investigations continue, the Scroll team has resumed finalization, confident that the immediate threat has been contained. However, the incident has highlighted the ongoing challenges and complexities in maintaining security in decentralized finance ecosystems.