The Unfortunate Tale of Raft DeFi Hack: A Misstep in Cyber Heist

In the ever-evolving world of decentralized finance (DeFi), the Raft protocol stands as a significant player. However, it recently fell victim to a complex security incident. This unfortunate event led to the minting of approximately $6.7 million in unbacked R tokens, shaking the foundations of trust and security in the DeFi landscape.

The Hack

An attacker found a vulnerability in the Raft protocol, a DeFi platform. They exploited this weakness to create child contracts from their parent contract. With just 2 cbETH, they issued 3,000 R tokens.

The attacker then liquidated these positions using over 1,000 ETH obtained from flash loans. This action inflated the index used to calculate each user’s collateral amount, leading to a sharp increase in the collateral balance for all users.

The attacker’s small position turned into 3.9k ETH, which they used to mint R tokens. They planned to sell these tokens, likely to hide the stolen funds in one of the mixers.

The Twist

In an unexpected turn of events, the hacker, who had successfully minted and liquidated a large amount of uncollateralized R stablecoin, attempted to convert these tokens into ETH. However, due to an uninitialized exploit address in the parent contract, the conversion process went awry.

The code for converting R to ETH and transferring it to the exploiter was called from another contract using delegatecall. Delegatecall, however, looks at the storage of the parent contract. In this case, the slot with the exploit address in the parent contract was not initialized.

The Hacker’s Misstep

the hacker’s plan to profit from the heist ended up backfiring. Initially, they pulled 18 ETH from Tornado Cash, a privacy-focused Ethereum transaction pool. They then successfully hacked a total of 1,577 ETH from the Raft protocol.

However, in an unexpected twist, the hacker ended up burning 1,570 ETH, effectively sending it to a null address from which it could never be retrieved. They sent the remaining 7 ETH to themselves.

After accounting for transaction fees, the hacker was left with 14 ETH. This means that their total profit after fees was -4 ETH. In other words, the hacker not only failed to profit from the heist but ended up at a loss.

The Aftermath

Following the security breach, Raft immediately took to Twitter to inform its users of the potential security vulnerability and assured them that they were investigating the matter. To control the situation, they paused the minting of R.

In a subsequent update, Raft confirmed the incident, stating that it had led to the minting of approximately $6.7 million in unbacked R. They also revealed that the hacker had sold R, which had an impact on its price. Despite the chaos, existing users were still able to repay their positions and receive their collateral.

Raft is currently working on a comprehensive recovery plan to compensate users affected by the incident and plans to publish this detailed recovery plan in the upcoming week. In the meantime, they advised users to wait for further updates on the recovery plan. They also strongly discouraged speculative R purchases as there is unbacked R in circulation.

Looking ahead, Raft announced that the current version of the platform would be sunsetted. They are fully committed to launching a completely new and secure version in the future, but their priority is to establish a clear recovery plan for all affected users.

Despite the exploited Raft codebase being audited by both Trail of Bits and Hats Finance, the incident served as a brutal reminder that no audit is 100% safe, regardless of who the auditor is. This underscores the importance of robust security measures and continuous vigilance in the DeFi landscape.

This series of events provides a clear timeline of Raft’s immediate response, their ongoing efforts to address the issue, and their plans to ensure the security of their platform. It also highlights the importance of robust security measures in the DeFi landscape.


In conclusion, while the hack was a setback, it has also paved the way for necessary improvements in security measures. It’s a reminder that in the rapidly evolving world of DeFi, continuous vigilance, robust security measures, and adaptability are crucial for success. The lessons learned from this incident will undoubtedly shape the future of DeFi platforms. As the saying goes, “Every adversity carries with it the seed of an equal or greater benefit.”

Categorized in: