This article is more than three months old

Scroll-based DeFi lending protocol halts operations amid investigation over $7.5m hack

Scroll-based DeFi lending protocol halts operations amid investigation over $7.5m hack
DeFi
Major Scroll protocol exploited for $7.5 million in oracle attack. Credit: Shutterstock / Shutterstock.AI Generator
  • The exploiter syphoned $7.5 million in Ether from the protocol.
  • Friday’s exploit drained the protocol’s entire USDT and USDC supply.
  • The team has paused the protocol and is investigating.

Rho Markets, a $43 million DeFi protocol on the Scroll blockchain, was forced to halt its operations amid a security incident that drained millions from its coffers

On Friday, an exploiter drained $7.5 million in Ether from the DeFi yield-and-lending protocol, onchain data shows.

“We’ve detected unusual activity on our platform and are currently investigating it,” the team said on its X account.

Rho Markets’ dashboard shows the hacker drained the protocol’s entire supply of USDT and USDC stablecoins.

The attacker executed the exploit by manipulating the protocol’s oracle — a feature that provides information to smart contracts from offchain sources — to empty the stablecoin supply and withdraw more than double the posted collateral in Ether.

Data from Debank showed the $7.5 million in Ether was still in the attacker’s wallet as of reporting time.

Rho Markets exploiter drained the protocol's entire stablecoin supply.

Rho Markets did not immediately respond to a request for comment.

The Scroll team temporarily delayed finalisation on its network following the exploit but has since lifted the pause, Scroll’s senior researcher Toghrul Maharramov told DL News.

Join the community to get our latest stories and updates

But as a fork of the legacy DeFi protocol Compound, the oracle attack likely targeted a rounding error vulnerability, a known weakness of other Compound forks.

Several attackers have targeted similar vulnerabilities in previous DeFi exploits, including attacks against Hundred Finance and Raft Finance.

Security experts have advised that DeFi builders treat such vulnerabilities as non-trivial and pay attention to rounding error bugs.

Smart contract auditor Joe Dakwa previously told DL News that robust unit and fuzz testing should become standard best practice to prevent future attacks.

Fuzz testing, or fuzzing, involves subjecting smart contracts to random data inputs to see if the code malfunctions.

Rho Markets is the third-biggest lending service on Scroll, DefiLlama data shows.

That makes Rho Markets a popular destination for airdrop hunters keen on registering activity on the Scroll blockchain.

In May, Scroll launched a dashboard allowing users to track their points gained in Sessions ― the network’s loyalty campaign programme.

The Sessions campaign is Scroll’s version of a points programme, which have become popular among DeFi projects as a temporary placeholder for airdrops.

Despite widespread criticism of Scroll’s Sessions, investor deposits into Scroll have jumped 650% since mid-May, when users could begin tracking their points.

Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at osato@dlnews.com.