Ethereum-Based Synthetic Asset Platform Misplaces Over 37M Tokens in Oracle Attack
Update: The article has been corrected to clarify that the funds in question were not ‘lost’ but inflated by an incorrect price feed.
The Ethereum-based synthetic asset issuance platform Synthetix has reportedly misplaced over 37 million synthetic ETH (sETH) in an oracle attack, according to a report by The Block on June 24.
However, Garth Travers at Synthex told Cointelegraph that "no funds have been 'lost.'”
“One bot owner's balance was inflated due to an incorrect sKRW price feed, which he then converted into an inflated amount of sETH.”
“We have recovered the sETH and are close to fully resolving the situation. We will continue to update the community as more details are finalised," he added.
While the amount of sETH in question is known to be over 37 million, the price of this loss in U.S. dollars is reportedly unknown due to its relative illiquidity on secondary markets.
Synthetix allows users to mint and trade synthetic currencies peer-to-peer (P2P) on the Ethereum blockchain. One such synthetic currency is the token sETH, which apparently tracks the price of Ether using an oracle-backed price feed.
Synthetix CEO Kain Warwick purportedly commented in the official Discord channel for Synthetix, saying:
"There has been an incident with the price feed of sKRW, we are currently investigating the root cause, but during the time when the price feed was returning the wrong value we believe an automated arb bot converted into sKRW and then into sETH."
Warwick reportedly believes the so-called ‘attack’ was performed automatically by an arbitrage bot and is seeking to contact the bot owner to correct the problem.
In the meantime, Synthetix has reportedly put a hold on all transactions, which it can apparently do as it has total control over its smart contracts. Warwick has also issued a bug bounty to solve and prevent this issue from occurring in the future.
As previously reported by Cointelegraph, white hat hackers claimed more than 40 bug bounties over 30 days in March. The bug finders received a cumulative total of $23,675, about a third of which came from the consensus algorithm and P2P networking protocol company Tendermint.