Rho Markets

Rho Markets Hack - July 2024

The Incident

Rho Markets, a DeFi protocol on the Scroll network, experienced a price oracle misconfiguration issue which resulted in a financial loss worth $7.6M in July 2024.

Technical Details

The exploit's direct cause was the manipulation of the oracle, resulting in incorrect price feeds. Prior to the attack, a suspicious ownership transfer (potentially due to a private key leak) allowed the hacker to control the contract and execute the exploit. The exploit targeted pools for major stablecoins of the platform, such as USDC and USDT.

Fund Recovery

The attack was front-run by an MEV bot, which indicated its intention to return the funds. As negotiated, the MEV arbitrage bot later returned the 2,202.85 ETH (worth ~$7.6m) to MultiSig: Safe wallet to safeguard user-owned assets as announced by the team. The Rho Markets team announced that no funds had been lost from the incident and that the protocol was in the process of reallocating funds to the impacted borrow pools.

The attacker actually requested that Rho Markets acknowledge the incident as a misconfiguration rather than a hack before returning the funds, and the team complied with these demands.

Sources

• https://olympixai.medium.com/rho-markets-on-scroll-exploit-analysis-965991270f56

• https://cointelegraph.com/news/rho-markets-exploited-76m-oracle-vulnerability

• https://unchainedcrypto.com/scroll-lending-protocol-rho-says-no-funds-lost-after-7-6-million-oracle-exploit/

• https://decrypt.co/240653/rho-markets-scroll-exploit-funds-returned

• https://www.dlnews.com/articles/defi/scroll-defi-protocol-rho-markets-paused-after-exploit/