Cyber Incident Victim: One Ring protocol
Date:
Mar 2022
Location:
United States of America
Summary
A flash loan attack on the One Ring protocol resulted in a theft of $1.4 million, with total losses reaching $2 million after accounting for fees. The attacker manipulated LP token prices using an $80 million flash loan, causing OShare tokens to be ejected from the system, though other assets and liquidity pools remained unaffected. The exploiter deployed a self-destructing contract to obscure transaction details and laundered stolen funds through Tornado Cash, complicating traceability efforts. The protocol initiated recovery measures including code reviews, vulnerability remediation, victim compensation, and a bounty offer for fund return, while external audits revealed additional security risks in related contracts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 21, 2022, attackers executed a flash loan attack against the One Ring Finance protocol, resulting in the theft of $1.4 million in cryptocurrency. The attackers borrowed $80 million in USDC stablecoin via Solidly flash loans to manipulate the price of underlying liquidity pool (LP) tokens within a single block span. This artificial price inflation altered the value of OShare tokens, triggering their mass ejection from the protocol. Total losses reached $2 million after accounting for swap fees and flash loan costs. The attack exclusively targeted OShare tokens, leaving OneRing (RING) tokens, liquidity pools, and Fantom-based farming operations unaffected. The exploiter deployed a self-destructing smart contract designed to erase transaction details at a predetermined block, significantly impeding forensic analysis. One Ring Finance confirmed the attacker’s Ethereum wallet was initially funded through Tornado Cash, a cryptocurrency mixer, with stolen funds subsequently routed back through the same service to obscure tracing efforts.
One Ring Finance initiated multiple response measures following the attack, including collaboration with node providers to recover the self-destructed contract’s bytecode for decompilation and analysis. The organization announced plans to restart vault operations, redeploy audited smart contracts, and compensate affected users. A 15% bounty ($210,000) plus one million RING tokens was offered for the return of stolen funds. Concurrently, blockchain security firm CertiK disclosed vulnerabilities in another unaudited One Ring contract during a post-incident review, warning of potential flash loan attack vectors. One Ring acknowledged engaging external developers to audit and remediate codebase vulnerabilities, noting that the exploit methodology had surprised even senior developers who previously reviewed the protocol. The incident underscored operational challenges in tracking mixer-obfuscated transactions and highlighted gaps in pre-deployment security practices.