Rocketswap, a decentralized exchange on the Coinbase native blockchain and Ethereum-based network Base, has just experienced a crypto exploit, losing over $860k of users’ assets.
According to an August 15 post on X by Rocketswap, the incident occurred due to a “brute force hack” on the server, which contains private keys related to the protocol. Rocketswap posted that this security breach allowed the hackers to gain control of the protocol’s farm feature and transfer out a large volume of users’ assets.
The statement read:
We are sorry to inform you that the team needed to use offline signatures when deploying the launchpad and put the private keys on the server. A brute force hack of the server was detected, and due to the proxy contract used for the farm contract, there were multiple high-risk permissions that led to the transfer of the farm’s assets.
The protocol announced they had deactivated the farm feature as well as shut down their telegram channel. Meanwhile, blockchain security firm PeckShield has provided more insights into the crypto exploit.
Hackers Bridge Stolen Asset From Base To Ethereum, Creates New Token
In confirming the DeFi exploit on the Base Chain, Peckshield shared that the hackers stole a total of 471 ETH, valued at $867,464.25, from Rocketswap, bridging it from Base to Ethereum.
Related Reading: Base’s Largest DEX LeetSwap Stops Trading, Cites Possible Exploit
Thereafter, they proceeded to generate a new token known as “LoveRCKT.” As at the time of the report, Peckshield noted that the hackers had supplied 90 trillion LoveRCKT and 400 ETH to Uniswap decentralized exchange.
Certik, another prominent security firm, has also confirmed the attack, describing it as a “Private Key Compromise.
Following the recent launch of the Base blockchain, the Ethereum-based network has remained among the headlines, but mostly due to issues with some of its projects.
On July 31st, the BALD meme coin was tagged a rug pull project after its developers moved $25.6 million in liquidity off the project a day after it launched on the Base network. BALD initially surged by 3,000% upon launch but soon lost over 90% of its value the next day.
Rocketswap Launches Emergency Plan, Intends To Reach Out To Hackers
Following the heist on Rocketswap, the project’s developer has communicated an emergency containment program with their users.
Firstly, Rocketswap aims to deploy a new farm contract. However, this new firm will be based on an open-source model rather than a proxy contract and will aim to “advance the production reduction plan by 0.075 per block.”
The emergency programme agreed upon by the team is as follows.
1. We plan to redeploy a new farm contract by dropping the proxy contract and open sourcing it on-chain.
2. The new farm will advance the production reduction plan by 0.075 per block.
3. The team relinquishes…
— RocketSwap (@RocketSwap_Labs) August 15, 2023
Meanwhile, the project team will be renouncing all mining risks, keeping only “low-risk” risks for the allocation of new pools. In addition, Rockswap has also expressed plans publicly appeal to the hackers for the restitution of the stolen assets.
Related Reading: Coinbase Layer 2 Network Base Records Rapid Adoption After Launch
Rocketswap assured its community that all features except the suspended farm feature remain functional, and the Telegram channels will resume operation upon stabilization.
At the time of writing, data from DeFillama shows the Rocketswap TVL has dipped by 31.25% over the last day, falling from $3.63 million to $2.48 million.
Source: https://bitcoinist.com/base-defi-project-suffer-865k-exploit-emergency/