DeFi protocol Fortress announces $3 million hack 'draining all funds'

The operators of decentralized finance (DeFi) lending and credit protocol Fortress announced on Sunday that about $3 million worth of cryptocurrency was stolen during an attack on third-party infrastructure.

The company — which bills itself as a money-market and stablecoin protocol on the Binance Smart Chain — explained in a series of tweets that the digital assets were stolen and deposited into cryptocurrency mixing service Tornado, allowing the thieves to hide their tracks.

“Fortress has been hit with what we believe is an oracle manipulation attack draining all funds," the company said. Oracles are third-party services that connect blockchains with off-chain data.

"We are investigating to determine the exact method of attack. PLEASE DO NOT SUPPLY ANY ASSETS TO FORTRESS!” the company said.

We are absolutely devastated. We will provide updates as soon as any information is available.

This is the address that implemented the attack: https://t.co/w50Hllxffn

Transaction that started the oracle attack: https://t.co/AGAqCVc1f1

— Fortress Protocol (@Fortressloans) May 9, 2022

The theft involved 1,048.1 in Ethereum and 400,000 of the stablecoin known as DAI.

“We need the support of all of our partners and key organizations in the community to assist and try to freeze and bring back the funds! IF THERE IS ANYTHING ANYONE CAN DO PLEASE DM US!” the company said.

The price of the Fortress native token, FTS, has since tanked more than 45%, according to Coinbase.

Blockchain security companies PeckShield and BlocSec noted that the oracle used by Fortress “can be hijacked by anyone due to the lack of power verification.” 

Both companies explained that the hacker was able to change the price of FTS and used a large purchase of the coin to make other changes.

Last month, DeFi protocol Inverse Finance lost $15 million in a similar price oracle manipulation scam, where an attacker uses the manipulated price of a coin as collateral to drain assets from a DeFi platform.

2/ The attacker called this function and changed the price of FTS directly. Furthermore, the attacker used $8000 to buy 296,193 FTS to vote for a proposal that add the FTS token as collateral. pic.twitter.com/Xs3Qg8Cem4

— BlockSec (@BlockSecTeam) May 9, 2022

Blockchain security firm PeckShield also warned DeFi data oracle Umbrella Network about its involvement in the incident. The company released its own statement saying it is "aware of the recent exploits that may have stemmed from an Umbrella Network price feed error."

"We're currently looking into the matter with our team and partners. We have already deployed a hotfix to address the issue that was identified by our internal team, and corroborated by PeckShield," Umbrella Network wrote.

The Fortress Protocol was built by developers with the Jetfuel Finance Multi Chain Ecosystem. That company sent out its a statement, notifying its users that supply and borrow features on the Fortress Loans app have been disabled “until further notice.” Jetfuel said all existing smart contracts are "still operational."

PeckShield said that as of May 1, more than $1.57 billion in cryptocurrency has been stolen from DeFi platforms in 2022, already surpassing 2021's total of $1.55 billion.