Verify a decision

{"actor":"system:backfill","investigation_id":"e93a8390-af53-4269-8275-8acd42ed5744","kind":"publish","page_slug":"fortress-protocol","published_at":"2026-05-31T06:59:35.529Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fortress Protocol","sections":[{"content":"On May 9, 2022, Fortress Protocol was drained of approximately $2.98 million in cryptocurrency assets, comprising 1,048.1 ETH and 400,000 DAI. The attacker exploited two distinct but compounding vulnerabilities: a governance mechanism that could be controlled with a minimal token outlay, and a publicly callable oracle price submission function with no access controls. The stolen assets were converted to approximately 3 million USDT, bridged to Ethereum via Anyswap and cBridge, converted to ETH and DAI, and then deposited into Tornado Cash to obscure the transaction trail. No original funds were subsequently recovered. The FTS token price fell over 45% following public disclosure of the breach.","heading":"May 2022 Exploit Overview","severity":"critical","sources":[{"credibility":2,"name":"Fortress Protocol — Rekt News","type":"news","url":"https://rekt.news/fortress-rekt"},{"credibility":2,"name":"DeFi protocol Fortress announces $3 million hack — The Record (Recorded Future)","type":"news","url":"https://therecord.media/defi-protocol-fortress-announces-3-million-hack"},{"credibility":2,"name":"SlowMist: Fortress Protocol Hack Analysis","type":"news","url":"https://slowmist.medium.com/slowmist-fortress-protocol-hack-analysis-19af24af723c"}]},{"content":"Fortress Protocol's on-chain governance required any proposer to hold at least 400,000 FTS tokens, equivalent to 4% of the total token supply of 10,000,000 FTS issued on April 21, 2022. Because the FTS market price was depressed, the attacker purchased approximately 400,000 FTS for roughly 11.4 ETH (approximately $22,000 at the time), satisfying the quorum threshold at low cost. The attacker then created governance proposal FIP-11 on May 4, 2022, which proposed changing the FTS collateral factor from 0% to 70% (encoded as 700000000000000000 in contract storage). The governance contract had no provision requiring any voting participation beyond the proposer's own holdings, and no timelock sufficient to allow community review. The attacker voted on their own proposal, the 3-day voting period elapsed on May 7 with no countervotes, and after a 2-day implementation delay the proposal executed on May 9, enabling the attacker to use artificially valued FTS as collateral for protocol borrowing.","heading":"Governance Attack Mechanism","severity":"critical","sources":[{"credibility":2,"name":"SlowMist: Fortress Protocol Hack Analysis","type":"news","url":"https://slowmist.medium.com/slowmist-fortress-protocol-hack-analysis-19af24af723c"},{"credibility":2,"name":"CertiK — Fortress Loans Incident Analysis","type":"news","url":"https://www.certik.com/resources/blog/k6eZOpnK5Kdde7RfHBZgw-fortress-loans-exploit"},{"credibility":2,"name":"Examination of the Fortress Protocol Hack — Coinmonks / Medium","type":"news","url":"https://medium.com/coinmonks/examination-of-the-fortress-protocol-hack-e261c96ea450"}]},{"content":"Fortress Protocol relied on the Umbrella Network oracle for FTS token price data. The Umbrella Network Chain contract's submit() function, which is used to update on-chain price feeds, was publicly callable without any verification of whether the caller held the rights to submit data to a given price feed. According to SlowMist's post-mortem, required signature verification logic had been commented out in the deployed contract code, leaving price submissions fully open. After governance proposal FIP-11 had passed and FTS was eligible as collateral, the attacker called submit() to set the FTS price to an extraordinarily inflated value — reportedly in the range of hundreds of billions of dollars per token — and then used the attacker's 100 FTS holdings (worth approximately $4.50 at real market prices) as collateral. The protocol accepted the manipulated oracle value and allowed the attacker to borrow virtually all available assets across every supported market, including BNB, USDC, USDT, BUSD, BTCB, ETH, LTC, XRP, ADA, DAI, DOT, and SHIB.","heading":"Oracle Price Manipulation","severity":"critical","sources":[{"credibility":2,"name":"SlowMist: Fortress Protocol Hack Analysis","type":"news","url":"https://slowmist.medium.com/slowmist-fortress-protocol-hack-analysis-19af24af723c"},{"credibility":2,"name":"Fortress Protocol Oracle Vulnerability Explained — SolidityScan","type":"news","url":"https://blog.solidityscan.com/fortress-protocol-oracle-vulnerability-explained-8650cdd27448/"},{"credibility":3,"name":"Oracle Manipulation Attack on Fortress — Block Magnates","type":"news","url":"https://blockmagnates.com/oracle-manipulation-attack-on-fortress/"}]},{"content":"Fortress Protocol underwent security audits by Hash0x and EtherAuthority prior to the May 2022 attack. Neither audit identified the oracle vulnerability. Post-mortem analysis by security researchers noted that the Umbrella Network oracle contract's submit() function flaw was technically out of scope for auditors contracted to review only Fortress's own smart contracts, illustrating a systemic gap in cross-protocol dependency auditing. CertiK's incident analysis stated that both vulnerabilities — the governance threshold and the oracle access control deficiency — would have been identifiable under a comprehensive audit engagement that encompassed all integrated dependencies. The case is now frequently cited in DeFi security literature as a demonstration that per-protocol audits can leave exploitable surfaces in external integrations unexamined.","heading":"Audit Failures and Scope Gaps","severity":"high","sources":[{"credibility":2,"name":"Fortress Protocol — Rekt News","type":"news","url":"https://rekt.news/fortress-rekt"},{"credibility":2,"name":"CertiK — Fortress Loans Incident Analysis","type":"news","url":"https://www.certik.com/resources/blog/k6eZOpnK5Kdde7RfHBZgw-fortress-loans-exploit"},{"credibility":3,"name":"3 Hacks an Audit Could Not Find — Sayfer","type":"news","url":"https://sayfer.io/blog/3-hacks-an-audit-could-not-find/"}]},{"content":"Following disclosure of the exploit, the JetFuel Finance team disabled supply and borrow functionality on the Fortress Loans UI and alerted Binance, Umbrella Network, and BitMart. The team appealed to the community and partners to assist in freezing and recovering the stolen assets. A partial compensation plan was announced: Umbrella Network contributed $1 million in total compensation to affected users, consisting of $300,000 USDC distributed immediately, an additional $200,000 USDC held in reserve, and 10,000,000 UMB tokens on a one-year linear vesting schedule (with the capacity to cover remaining losses if UMB tokens reached $0.18). Remaining shortfalls were to be funded through ongoing JetFuel ecosystem revenues including DEX fees, IJO revenue, and treasury investments. The team announced plans to remove on-chain governance entirely (scheduled for FIP passage on May 16–17, 2022) and to restart the protocol around May 13–14, 2022 with remediated contracts. No stolen funds were recovered from the attacker.","heading":"Team Response and Compensation","severity":"high","sources":[{"credibility":2,"name":"Fortress Attack Update and Compensation — JetFuel Finance / Medium","type":"official","url":"https://jetfuelfinance.medium.com/fortress-attack-update-and-compensation-e7a66621cfe6"},{"credibility":2,"name":"DeFi protocol Fortress announces $3 million hack — The Record","type":"news","url":"https://therecord.media/defi-protocol-fortress-announces-3-million-hack"}]},{"content":"SlowMist's analysis found that the attacker began preparations approximately 19 days before the May 9 execution date. On April 29, 2022, the attacker obtained 20 ETH via Tornado Cash and bridged 12.4 ETH to the Binance Smart Chain using cBridge. On May 4, governance proposal FIP-11 was submitted. Following the exploit on May 9, the attacker converted all borrowed assets into approximately 3 million USDT on BSC, then bridged those funds back to Ethereum via Anyswap and cBridge. On Ethereum the USDT was swapped for ETH and DAI; 1,048.1 ETH and 400,000 DAI were subsequently deposited into Tornado Cash, rendering on-chain tracing impractical. The primary attack transaction hash is 0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf.","heading":"Attack Preparation and Fund Laundering","severity":"high","sources":[{"credibility":2,"name":"SlowMist: Fortress Protocol Hack Analysis","type":"onchain","url":"https://slowmist.medium.com/slowmist-fortress-protocol-hack-analysis-19af24af723c"},{"credibility":3,"name":"Cybercriminals hack Fortress Protocol — Security Newspaper","type":"news","url":"https://www.securitynewspaper.com/2022/05/10/cybercriminals-hack-fortress-protocol-steal-its-funds-and-launder-them-through-tornado-cash/"}]},{"content":"The Fortress Protocol exploit is widely cited as a case study in governance attack vectors specific to low-liquidity token ecosystems. Key structural weaknesses identified in post-mortem analyses include: a governance quorum threshold denominated in token quantity rather than percentage of circulating liquidity or USD value, making quorum achievable for a few thousand dollars when token prices are depressed; absence of a guardian multisig or veto mechanism capable of blocking malicious proposals during the timelock period; lack of monitoring or alerting for unusual governance proposals affecting collateral parameters; and reliance on a single external oracle without circuit-breaker logic for anomalous price deviations. Broader recommendations from security firms include implementing minimum timelock delays of 48–72 hours for critical parameter changes, requiring multi-party oracle validation, and establishing governance emergency pause mechanisms controlled by independent multisigs.","heading":"DeFi Governance Security Lessons","severity":"medium","sources":[{"credibility":2,"name":"CertiK — Fortress Loans Incident Analysis","type":"news","url":"https://www.certik.com/resources/blog/k6eZOpnK5Kdde7RfHBZgw-fortress-loans-exploit"},{"credibility":2,"name":"Fortress Protocol Governance and Updates — JetFuel Finance / Medium","type":"official","url":"https://jetfuelfinance.medium.com/fortress-protocol-governance-updates-1d9a8799e64c"},{"credibility":2,"name":"Exploiting governance with metamorphic proposals — Coinbase Blog","type":"news","url":"https://www.coinbase.com/blog/exploiting-governance-with-metamorphic-proposals"}]}],"sources_used":[{"name":"Fortress Protocol — Rekt News","type":"news","url":"https://rekt.news/fortress-rekt"},{"name":"SlowMist: Fortress Protocol Hack Analysis","type":"news","url":"https://slowmist.medium.com/slowmist-fortress-protocol-hack-analysis-19af24af723c"},{"name":"CertiK — Fortress Loans Incident Analysis","type":"news","url":"https://www.certik.com/resources/blog/k6eZOpnK5Kdde7RfHBZgw-fortress-loans-exploit"},{"name":"Fortress Attack Update and Compensation — JetFuel Finance / Medium","type":"official","url":"https://jetfuelfinance.medium.com/fortress-attack-update-and-compensation-e7a66621cfe6"},{"name":"DeFi protocol Fortress announces $3 million hack — The Record (Recorded Future)","type":"news","url":"https://therecord.media/defi-protocol-fortress-announces-3-million-hack"},{"name":"Fortress Protocol Oracle Vulnerability Explained — SolidityScan","type":"news","url":"https://blog.solidityscan.com/fortress-protocol-oracle-vulnerability-explained-8650cdd27448/"},{"name":"Oracle Manipulation Attack on Fortress — Block Magnates","type":"news","url":"https://blockmagnates.com/oracle-manipulation-attack-on-fortress/"},{"name":"Examination of the Fortress Protocol Hack — Coinmonks / Medium","type":"news","url":"https://medium.com/coinmonks/examination-of-the-fortress-protocol-hack-e261c96ea450"},{"name":"Fortress Attack Event Analysis — lunaray / Coinmonks","type":"news","url":"https://medium.com/coinmonks/fortress-attack-event-analysis-bd30157e7dc9"},{"name":"Cybercriminals hack Fortress Protocol — Security Newspaper","type":"news","url":"https://www.securitynewspaper.com/2022/05/10/cybercriminals-hack-fortress-protocol-steal-its-funds-and-launder-them-through-tornado-cash/"},{"name":"Fortress Protocol Governance and Updates — JetFuel Finance / Medium","type":"official","url":"https://jetfuelfinance.medium.com/fortress-protocol-governance-updates-1d9a8799e64c"},{"name":"Exploiting governance with metamorphic proposals — Coinbase Blog","type":"news","url":"https://www.coinbase.com/blog/exploiting-governance-with-metamorphic-proposals"},{"name":"3 Hacks an Audit Could Not Find — Sayfer","type":"news","url":"https://sayfer.io/blog/3-hacks-an-audit-could-not-find/"}],"summary":"Fortress Protocol was a BSC-based lending and borrowing protocol operated as the lending arm of JetFuel Finance. On May 9, 2022, an attacker exploited simultaneous vulnerabilities in the protocol's governance system and Umbrella Network price oracle, draining approximately $2.98 million in user funds. Stolen assets were laundered through Tornado Cash and were never recovered; the protocol subsequently removed on-chain governance and has remained largely inactive.","timeline":[{"date":"2022-04-21","event":"FTS governance token issued; total supply set at 10,000,000 tokens.","source":"SlowMist Hack Analysis","source_url":"https://slowmist.medium.com/slowmist-fortress-protocol-hack-analysis-19af24af723c"},{"date":"2022-04-29","event":"Attacker obtained 20 ETH via Tornado Cash and bridged 12.4 ETH to BSC using cBridge, beginning pre-attack preparations approximately 19 days before execution.","source":"SlowMist Hack Analysis","source_url":"https://slowmist.medium.com/slowmist-fortress-protocol-hack-analysis-19af24af723c"},{"date":"2022-05-04","event":"Attacker swapped approximately 11.4 ETH for ~400,000 FTS tokens (4% of total supply) and submitted malicious governance proposal FIP-11, which proposed raising the FTS collateral factor from 0% to 70%.","source":"CertiK — Fortress Loans Incident Analysis","source_url":"https://www.certik.com/resources/blog/k6eZOpnK5Kdde7RfHBZgw-fortress-loans-exploit"},{"date":"2022-05-07","event":"FIP-11 three-day voting period concluded with attacker's votes as the only recorded votes; proposal passed.","source":"SlowMist Hack Analysis","source_url":"https://slowmist.medium.com/slowmist-fortress-protocol-hack-analysis-19af24af723c"},{"date":"2022-05-09","event":"FIP-11 executed after 2-day implementation delay. Attacker called Umbrella Network's unprotected submit() oracle function to set FTS price to a near-trillion-dollar value, then used ~100 FTS as collateral to drain all protocol liquidity. Approximately $2.98 million stolen across BNB, ETH, stablecoins, and other tokens.","source":"Rekt News — Fortress Protocol","source_url":"https://rekt.news/fortress-rekt"},{"date":"2022-05-09","event":"Stolen assets bridged to Ethereum via Anyswap and cBridge; 1,048.1 ETH and 400,000 DAI deposited into Tornado Cash. FTS token price fell over 45%.","source":"The Record — DeFi protocol Fortress announces $3 million hack","source_url":"https://therecord.media/defi-protocol-fortress-announces-3-million-hack"},{"date":"2022-05-09","event":"JetFuel Finance team disabled supply/borrow UI, alerted Binance and Umbrella Network, and issued public disclosure acknowledging the attack.","source":"Fortress Attack Update and Compensation — JetFuel Finance","source_url":"https://jetfuelfinance.medium.com/fortress-attack-update-and-compensation-e7a66621cfe6"},{"date":"2022-05-10","event":"JetFuel Finance announced compensation plan: $300,000 USDC immediate distribution from Umbrella Network, $200,000 USDC in reserve, and 10,000,000 UMB tokens on one-year vesting.","source":"Fortress Attack Update and Compensation — JetFuel Finance","source_url":"https://jetfuelfinance.medium.com/fortress-attack-update-and-compensation-e7a66621cfe6"},{"date":"2022-05-13","event":"Protocol restart scheduled following remediation; on-chain governance removal proposal (FIP) scheduled for May 16–17 passage.","source":"Fortress Attack Update and Compensation — JetFuel Finance","source_url":"https://jetfuelfinance.medium.com/fortress-attack-update-and-compensation-e7a66621cfe6"}]},"v":1}