MEV bot to return $7.5M if Rho Markets admits to oracle error

Crypto assets worth $7.5 million were lost when Rho Markets, a decentralized finance (DeFi) lending platform on Ethereum L2 Scroll, was hacked.

However, the operator of the MEV bot responsible is willing to return the funds — as long as Rho Markets admits to its mistakes.

The suspicious activity was highlighted by an X (formerly Twitter) user, who noted that the platform was out of the stablecoins USDC and USDT. The user linked to the purported attacker’s address, which shows a gain of $7.5 million over the past hours.

Scroll's Rho Markets exploited. USDC/USDT gone, so borrow ETH etc and wait.

Think Oracle issue. Attacker address: https://t.co/CboWQND5ZQ pic.twitter.com/5hLWoltciI

— CJ the "Doughnut" (@CJCJCJCJ_) July 19, 2024

Read more: Sifu’s UwU Lend reportedly hacked for $20M, Curve’s Egorov among affected

Half an hour after the initial alert, Rho Markets announced ‘unusual activity‘ on the platform, which has been paused while the issue is investigated. “Most of the pools are safe, so there is no need to worry,” they added.

The X account of the Scroll network confirmed that the exploit was ‘application-specific,’ informing users that it had decided to temporarily delay the finalization of the chain. The network is now operating normally.

While the exact nature of the exploit is yet to be confirmed by the team, blockchain security firm Cyvers suspected the root cause to be ‘oracle access control by a malicious actor.’ This was later confirmed by BlockSec which noted ‘a strange ownership transfer’ of the oracle contract.

The incident quickly began to look like it would have a happy ending, however. Noting the attacker’s exposure to centralized exchanges, on-chain detective ZachXBT suspected that there is “a good probability this gets recovered and they are gray or white hat.”

Shortly afterward, the hunch proved correct, with the attacker sending an on-chain message on Ethereum mainnet. The bot operator claims to be “willing to fully return” the funds, on the condition that the team admits to ‘a misconfiguration on [Rho Markets’] end.’

On top of admitting the error, the white hat requests that Rho Markets suggest what it is “going to do to prevent it from happening again.”

Good news everyone the exploiter sent this message on-chain https://t.co/HA6YIgKalq pic.twitter.com/cRw56OtNTp

— ZachXBT (@zachxbt) July 19, 2024

Read more: Compound Finance and Celer Network websites compromised in ‘front-end’ attacks

According to DeFi analytics platform DeFiLlama, Rho Markets is a ‘fork’ of long-established Compound Finance, and holds approximately $43 million worth of assets.

Compound itself was at the heart of last week’s panic over the wave of front-end hijacking incidents on popular DeFi platforms.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.