Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Rikkei Finance ("RiFi") is a decentralized finance protocol that handles transactions on public ledgers. This allows for cross-chain integration to receive digital assets from different blockchain networks. This renders assets at an identical rate, making it a real time exchange currency.

RiFi uses a PriceOracle to determine the trading cost of each token. The hacker found an access control bug within the token oracle smart contact for RiFi.

There is a public/external function called setOracleData. Since this is public and external without any access control, anybody is able to set the prices of tokens. Yikes!

The attacker provided the service with a small amount of collateral in some coin. Normally, this is to ensure that a loan will be paid back. Since the PriceOracle is manipulated, an attacker can make the exchange rate extremely beneficial for them!

At this point, the attacker used the money taken from the manipulated token to get an insane amount of other money from the contract. By the end, they stole an estimated $1 Million dollar in DAI, BUSD and several other currencies.

This is a very simple access control bug that should have been caught during testing. It is fascinating to see these obvious bugs provide millions in losses.