Cyber Incident Victim: Fortress

On May 8, 2022, decentralized finance protocol Fortress announced via Twitter that approximately $3 million in cryptocurrency had been stolen through an attack targeting third-party infrastructure. The protocol, operating on the Binance Smart Chain as a money-market and stablecoin platform, attributed the incident to an oracle manipulation attack that drained all its funds. Attackers stole 1,048.1 Ethereum and 400,000 DAI stablecoins before funneling the assets through Tornado, a cryptocurrency mixing service designed to obscure transaction trails. Fortress urgently advised users to cease supplying assets to the platform while investigations continued, sharing blockchain addresses associated with the attack initiation and fund transfers. The value of Fortress’s native token (FTS) plummeted over 45% following the breach, according to Coinbase data.

Blockchain security firms PeckShield and BlocSec analyzed the attack, identifying a critical vulnerability in Fortress’s oracle system that lacked proper verification controls, enabling unauthorized price manipulation. The attacker exploited this flaw to artificially alter FTS token prices, then purchased 296,193 FTS tokens for $8,000 to vote for a malicious proposal adding FTS as collateral. This method mirrored a $15 million oracle manipulation attack on Inverse Finance in April 2022. PeckShield alerted Umbrella Network, the oracle provider implicated in the incident, which acknowledged a potential price feed error and deployed a hotfix after internal and external verification. Fortress’s parent company, Jetfuel Finance, disabled supply and borrow functions on the Fortress Loans app as a containment measure but confirmed existing smart contracts remained operational. PeckShield noted the incident contributed to 2022’s cumulative DeFi thefts exceeding $1.57 billion by May 1, surpassing 2021’s full-year total of $1.55 billion. Fortress appealed to partners and community organizations to assist in freezing and recovering the stolen assets.