Cybercriminals hack Fortress Protocol, steal its funds and launder them through Tornado Cash

Fortress Protocol, an algorithmic marketplace platform and decentralized finance (DeFi) lending protocol, suffered the loss of all its funds following a massive cyberattack. Apparently, the stolen assets were connected from Binance Smart Chain to Ethereum and subsequently mixed using the Tornado Cash privacy protocol.

CertiK, a firm specializing in blockchain security, released details about the incident this Monday, noting that it all started when attackers used Ethereum to make a purchase of FTS, the governance token for Fortress management. This purchase allowed the attackers to gain the authority to approve any changes they wanted to the platform.

The attackers approved the ID 11 proposal, which changed the guarantee factor of FTS tokens within loan contracts from 0 to 700,000,000,000,000,000. The price oracle used by the loan agreement was also updated so that the token price would be arbitrarily updated.

Subsequently, the threat actors used the remaining FTS to borrow a large number of tokens and convert them into more than 1,000 ETH and more than 400,000 DAI, making profits of about $3 million USD depending on the exchange rate at the time of the attack. Finally, a self-destruct mechanism encoded in the malicious smart contract was activated to transfer all stolen funds to Tornado Cash.

Those responsible for Fortress said they were “absolutely devastated” to learn of the attack, also asked the user community not to enter new assets in Fortress and asked any actor in the world of cryptocurrency for their help to recover the compromised funds.

Both the Ethereum assets for the initial purchase of the FTS, and the Ethereum representing the stolen goods circulated through Tornado Cash; this blending protocol removes the link between the address of both parties in a cryptocurrency transaction, allowing hackers to remove any possible traces.

This protocol had already been used in previous cryptocurrency heists; this is the case of the incident in Ronin that led to the loss of some $600 million USD in cryptocurrency. The hackers behind the attack are reportedly responsible for 15% of the assets that have circulated through Tornado Cash.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.