defirisk.co
rubric v1.7.0

Fortress Protocol (lending arm of JetFuel Finance): Oracle Manipulation + Malicious Governance Proposal

Fortress Protocol was drained for $3M when an attacker passed a malicious governance proposal (active for 3 days, uncontested) and exploited a publicly callable oracle to inflate FTS price, using $4.50 worth of FTS as collateral to borrow everything.

Occurred 2022-05-09 Loss $3M Status closed

Summary #

Fortress Protocol (lending arm of JetFuel Finance) suffered a Lending on 2022-05-09, resulting in a loss of approximately $3M.

What happened #

Fortress Protocol was drained for $3M when an attacker passed a malicious governance proposal (active for 3 days, uncontested) and exploited a publicly callable oracle to inflate FTS price, using $4.50 worth of FTS as collateral to borrow everything.

Linked factors #

  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — both auditors missed the public oracle submit() function; collateral factor manipulation via governance was not flagged]
  • RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — malicious governance proposal was the key enabling step; was active and voteable for 3 days]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Y — malicious governance proposal to add FTS as collateral was visible on-chain for 3 days before execution; Tornado Cash-funded attacker ad...]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — publicly callable oracle submit() means any price submission is a potential manipulation; FTS price spike at time of exploit is detectab...]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — malicious governance proposal was the key enabling step; was active and voteable for 3 days]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — JetFuel Finance / Compound-style lending fork on BSC]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — JetFuel Finance / Compound-style lending fork on BSC]