In the eye of the storm
The Defi space on BNB Smart Chain (BSC) was again hit by a series of exploits this week which targeted Jetfuel finance and MahaDAO respectively. The Jetfuel finance exploit resulted in a loss of about USD 3 million on its Fortress Loan platform whose collateral token Fortress (FTS) had just recently seen some very positive price action. This may have been the reason why it was targeted which at this point is a mere speculation.
The official statement about the hack on the Jetfuel Finance Telegram announcement channel reads thus:
"Fortress has been hit with what we believe is an oracle manipulation attack draining all funds. We are investigating to determine the exact method of attack.
PLEASE DO NOT SUPPLY ANY ASSETS TO FORTRESS! Fortress.loans
We are absolutely devastated. We will provide updates as soon as any information is available.
This is the address that implemented the attack: https://bscscan.com/address/0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad
Transaction that started the oracle attack: https://bscscan.com/tx/0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf
All stolen funds have been bridged to Ethereum and deposited into Tornado via 1,048.1 ETH & 400,000 DAI
We need the support of all of our partners and key organizations in the community to assist and try to freeze and bring back the funds! IF THERE IS ANYTHING ANYONE CAN DO PLEASE DM US!"
CertikAlert summarised the hack via its Twitter handle thus:
1. The attacker bought FTS tokens
2. Took control of the governance contracts
3. Manipulated the loan contracts
4. Borrowed large amounts of assets from the loan contracts
5. Bridged the funds to Ethereum and deposited them to Tornado cash
The screenshots from Certik Alert Twitter handle detailing the attack flow are shown below
Barely a month ago hackers targeted Inverse Finance which is built on the Ethereum blockchain and exploited a vulnerability in the Keep3r price oracle to steal tokens worth about USD 15.6 million comprising 1,588 ETH, 94 WBTC, 39 YFI, and 3,999,669 DOLA . The route of choice again which was used to funnel the stolen funds was Tornado cash.
The series of hacks mentioned above focused on exploiting vulnerabilities in the price oracles utilized by the affected Defi platforms to steal tokens.
In Early May, Tornado Cash was again in the news after another Defi hack. Mad Meerkat which is the largest decentralised exchange on the Cronos block chain was hacked for about USD 2 million. This was achieved via a front-end breach of the project's app which resulted in funds involved in transactions being moved to the hacker's wallet. After bridging the stolen funds over to the Ethereum network, the hacker deposited them in Tornado Cash.
Back in January, 2022 Gizmodo reported that hackers who had stolen USD 15 million worth of Ethereum from crypto platform Crypto.com had attempted to launder the stolen funds through ............. ....can you guess?
Tornado cash once again
Why Tornado Cash?
It is what is termed in some quarters as an Ethereum "mixer". The mixer executes interference on the Blockchain to make the task of tracking stolen funds to determine their final destination difficult.
These recent channeling of stolen funds through Tornado cash seem to justify the accusation that it is now the route of choice for criminals to launder money in the crypto space. With the increasing cases of it being used in moving stolen funds it is only a matter of time before it gets into the cross hairs of powerful law enforcement agencies such as the FBI.
This may eventually lead to its operators facing criminal charges or being prosecuted and the platform possibly being shut down. Other mixers such as Best mixer and Helix were shut down in 2019 and 2021 after being paid visits by law enforcement agents amidst allegations of money laundering. Best mixer was accused of laundering USD 200 million while the operator of helix pleaded guilty to laundering USD 300 million worth of crypto in August, 2021.
Thus the operators of Tornado Cash will do well to clean up their act and put checks in place to make their platform unattractive to individuals hacking Defi platforms else they will be c culpable and find themselves in the eye of the storm that is gathering momentum against them.