Rho Markets Security Incident Report

Security Incident

On July 19, 2024, shortly after updating the smart contract for a new market launch, Rho Markets identified that the price oracles for ETH and BTC were providing contradictory price feeds due to a misconfiguration in the deployment script. This issue resulted in the prices of BTC and ETH being reversed, creating arbitrage opportunities for MEV bots. Due to the incorrect oracle pricing, assets including USDC, USDT, wstETH, STONE, and wrsETH were borrowed up to their borrowing caps. The estimated total amount affected is approximately $7.6 million.
The incidence took place on Scroll, impacting assets such as USDC, USDT, ETH, wstETH, and others. The MEV bot borrowed approximately $7.6 million worth of assets using a minimal amount of collateral in ETH.

Incident Response

Upon detecting the security vulnerability, our team immediately activated the incident response plan and successfully disabled all vulnerable components on the protocol, thereby containing the threat. With the assistance of security professionals from SEAL 911, we promptly communicated with the MEV wallet address and received a positive response. Within the next six hours, 100% of the funds were returned from the MEV address.

Hash Message from MEV address

Technical Analysis

The incident occurred shortly after attempting to deploy a new asset market on Rho Markets. A vulnerability in the upgrade allowed the MEV bot to supply ETH at the BTC oracle price and use it as collateral within the protocol.

The vulnerability arose from a misconfiguration that allowed ETH suppliers to mint rETH at the BTC oracle price and use it as collateral within the Rho Markets protocol, resulting in a 20X increase in the actual value of ETH. This issue occurred due to the erroneous configuration of the ETH oracle price feed to the BTC price feed. Normally, such settings are validated before any changes are implemented. However, due to a human error in overseeing the deployment process, this validation check was missed in the case of the oracle price.

Smart Contract Code analytics

Recovery Efforts

We cooperated with @_SEAL_Org and @hexagate_ to recover the $7.6 million lost to the MEV bot arbitrage. The accounting and allocation process has been completed, and the Rho Markets Protocol is now fully operational again.

We sincerely appreciate the assistance of security research institutions and our partners, including @Scroll_ZKP, @SEAL_Org, @SlowMist_Team, @hexagate_, @zachxbt, @dedaub, @pencilsprotocol, and @BlockSecTeam, who continue to support us in identifying and resolving this issue.

We will also collaborate with additional third-party partners to enhance our security measures. This includes on-chain data monitoring and smart contract audits from partners such as @BlockSecTeam, @HypernativeLabs, @chaos_labs, @Immunefi, and others.

Further audits of the protocol will be scheduled, including those by @blocksecteam and @slowmist_team, to ensure the protocol’s security.

Future Outlook

Rho Markets is dedicated to ensuring the security of our protocol and user assets. Beyond our existing multi-step deployment review process, we are going to implement additional security policies and measures to prevent future incidents, including:

1. Thorough testing on Tenderly Fork: We will test any upgrades on a Tenderly fork if we need to update the price oracles or other changes to the protocol.
2. Meticulous Review Process: We will review each step meticulously to verify configuration setups, price oracles, and other relevant settings.
3. Clean Deployment Environment: We will ensure our deployment environment is clean by initiating new environments for each deployment and upgrade
4. Enhanced Verification: We will work with security teams to verify all deployments are correct before mainnet deployment.
5. Bounty Programs through Immunefi

Our security measures have been functioning as intended. The incident occurred due to a human error in managing the deployment process. To avoid similar issues in the future, we are undertaking a thorough review and overhaul of our deployment procedures.

Rest assured, our team is diligently executing these steps to restore normalcy, reinforce the integrity of our system, and safeguard the interests of our valued users.

In the coming days, we will prioritize checking everyone’s positions to ensure that no anomalies occur. If you notice any issues, please feel free to contact us proactively through the DC ticket or email. We will introduce more compensation plans and organize an AMA session, where you will have the opportunity to ask questions and learn more.

Link to Discord server: https://discord.gg/rhomarkets

Email address: peter@rhomarkets.xyz

Disclaimer: This article is only meant for informational purposes. The projects mentioned in the article are our partners, but we encourage you to do your due diligence before using or buying tokens of any protocol mentioned. This is not financial advice.