Scroll Ecology Protocol Rho Markets Loses 76 Million Due to Oracle Vulnerability Funds Restored by Attacker

Scroll Ecology Protocol Rho Markets Loses 76 Million Due to Oracle Vulnerability Funds Restored by Attacker

Scroll Ecology Protocol Rho Markets Loses 76 Million Due to Oracle Vulnerability Funds Restored by Attacker

The liquidity layer constructed on the Ethereum Layer 2 network, Scroll, and the lending protocol Rho Markets announced on Friday (19th) that they suspended the operation of the platform due to the detection of abnormal activities. A cybersecurity institution claimed that Rho Markets had been exploited and could have suffered losses exceeding $7.6 million. However, this does not seem to be a hacking incident, as the “attacker” has expressed willingness to return the funds through on-chain messages.

Blockchain security company Cyvers stated on a social media platform that the suspension of the Rho Markets platform seems to be due to a malicious actor gaining control over the oracle access. The affected liquidity pools involve USD stablecoins such as $USDC and $USDT. Currently, the attacker holds assets worth $7.6 million on multiple chains.

The Scroll team has also become aware of potential vulnerabilities in their ecosystem and stated on platform X:

Shortly after, on-chain detective ZachXBT stated that the attacker had sent a message on-chain. According to the content, the attacker does not appear to be a hacker. The actor in this incident claimed that their MEV (Maximum Extractable Value) robot had profited from the improper configuration of the Rho Market price oracle. They stated, “We understand that these funds belong to users and are willing to return them in full.” However, they requested that Rho Market first acknowledge that this incident was not an exploit or hacking but rather due to the improper configuration of the platform. They also demanded that Rho Market explain how they will prevent similar incidents from happening again.

Source:
ZachXBT

Subsequently, Yu Xian, the founder of the internet security company SlowMist, stated that Rho Markets had almost fully returned the 2203 ETH that was taken away by an MEV robot due to the oracle issue.

There were also some controversies surrounding this incident. Some individuals in the crypto community raised questions about Scroll’s halt of the chain’s operation, claiming that it contradicted the core values of “permissionless” and “censorship-resistant” in blockchain.

Later, Ye Zhang, co-founder of Scroll, responded, stating that it was only a delay in final confirmation to investigate whether the incident was related to the protocol’s security. The chain was not suspended and continued to operate as usual. Even with the delay, the final confirmation time was within a normal range (approximately 30 minutes). Ye Zhang also mentioned, “In the next phase of the decentralized process, we won’t be able to do this, and it’s still ongoing.”