Verify a decision

{"actor":"system:backfill","investigation_id":"4ca64fe1-1c2b-442d-84e9-ddd98e3729f2","kind":"publish","page_slug":"raft-protocol","published_at":"2026-06-01T17:48:55.737Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Raft Protocol","sections":[{"content":"On November 10, 2023 at approximately 18:59 UTC, an attacker exploited a critical vulnerability in Raft Protocol's smart contracts to mint approximately 6.7 million unbacked R stablecoins. The attacker began by borrowing 6,000 cbETH (Coinbase-wrapped staked Ether) from Aave via a flash loan. Using a 'donation' or 'inflation' attack technique, the attacker donated cbETH directly into the rcbETH-c collateral pool contract to artificially inflate the pool's collateral index. The precision rounding flaw in the protocol's divUp function meant that when the attacker subsequently made tiny minting calls, the smart contract rounded share tokens up rather than down — granting the attacker one share per call where mathematically zero shares were due. Because the collateral index had been artificially amplified, these shares represented an outsized claim on the pool's collateral. The attacker redeemed the inflated shares for cbETH and used this to borrow and then sell massive quantities of R on Balancer and Uniswap liquidity pools, netting approximately 1,577 ETH (~$3.3 million). The unauthorized R minting caused R's dollar peg to collapse, with the stablecoin falling as low as approximately $0.18 to $0.70 depending on the reporting source.","heading":"November 2023 Flash Loan Exploit","severity":"critical","sources":[{"credibility":1,"name":"Raft Suffers $3.3M Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2023/11/10/defi-platform-raft-suffers-33m-exploit-but-hacker-likely-takes-a-loss-on-the-attack"},{"credibility":2,"name":"Raft Protocol Exploit — Nov 10, 2023 — Detailed Analysis (ImmueBytes)","type":"research","url":"https://immunebytes.com/blog/raft-protocol-exploit-nov-10-2023-detailed-analysis/"},{"credibility":1,"name":"DeFi vulnerability not detected by auditors — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/de-fi-vulnerability-leading-6-7-m-exploit-stablecoin-not-detected-by-auditors"},{"credibility":2,"name":"Raft Hack (2023) — Smart Contract Hacking","type":"research","url":"https://smartcontractshacking.com/hacks/raft-hack-2023"}]},{"content":"The Raft exploit is widely cited as one of the most ironic incidents in DeFi history: the attacker ultimately lost money. After executing the attack and converting the proceeds into approximately 1,577 ETH, a bug in the attacker's own exploit script caused 1,570 ETH (worth roughly $3.25 million) to be sent irreversibly to a burn address (0x000...dead), permanently destroying those funds. The attacker had funded their wallet with 18 ETH sourced from Tornado Cash prior to the attack. After the botched execution, they retained only 7 ETH from the operation. Subtracting the 18 ETH prepaid for attack setup plus gas costs, the attacker's net balance was approximately negative 4 ETH — a loss of roughly $8,000 to $14,000 depending on ETH price at the time. The protocol, meanwhile, absorbed the full $3.3 million loss from its liquidity, while the destroyed ETH is unrecoverable by any party.","heading":"Attacker's Self-Defeating Outcome","severity":"high","sources":[{"credibility":2,"name":"Raft exploited for $3.3 million, then hacker screws up — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/?id=raft-hack"},{"credibility":2,"name":"Hacker Exploits Raft Finance & Stole 1577 ETH Just To Burn It — The Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/hacker-exploits-raft-finance-stole-1577-eth-just-to-burn-it/"},{"credibility":1,"name":"Raft Suffers $3.3M Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2023/11/10/defi-platform-raft-suffers-33m-exploit-but-hacker-likely-takes-a-loss-on-the-attack"}]},{"content":"Raft Protocol's smart contracts had been audited by multiple security firms prior to the November 2023 exploit, including Trail of Bits and Hats Finance, as well as Curious Apple and a researcher identified as Aviggiano. Despite these assessments, none of the auditing parties identified the precision rounding vulnerability in the divUp function that enabled the attack. The post-mortem noted that Trail of Bits' own report had flagged that the codebase could benefit from improved testing and formal verification practices — but the specific rounding flaw was not surfaced as a finding. The incident is frequently cited in the DeFi security community as evidence that multiple independent audits do not guarantee the absence of critical vulnerabilities, particularly in numeric precision edge cases arising from interaction between protocol components.","heading":"Audit Failure","severity":"high","sources":[{"credibility":2,"name":"Security Audits Miss Vulnerabilities As Raft Hacked For $6.7M — Crypto Daily","type":"news_article","url":"https://cryptodaily.co.uk/2023/11/security-audits-miss-vulnerabilities-as-raft-hacked-for-67m"},{"credibility":2,"name":"Latest DeFi exploits show audits are no guarantee — Blockworks","type":"news_article","url":"https://blockworks.co/news/audits-cannot-guarantee-defi-exploits"},{"credibility":1,"name":"Raft Security Incident: Post-Mortem Analysis and Recovery Plan — Mirror.xyz (Official)","type":"official","url":"https://mirror.xyz/0xa486d3a7679D56D545dd5d357469Dd5ed4259340/_Nk6_1_VvInyC0pdvHiZuAXiqm6tYSsGYGHSfOhcO1I"}]},{"content":"Raft's R stablecoin lost its $1 peg immediately following the exploit. The stablecoin dropped as much as 50% from its peg in the hours following the attack, trading as low as approximately $0.70 on decentralized exchanges. The selling pressure was generated by the attacker dumping approximately 6.7 million newly minted, unbacked R tokens into Balancer and Uniswap liquidity pools. The protocol's Peg Stability Module (PSM), which held sDAI (savings DAI) as a backstop, was partially drawn down during and after the attack. The R stablecoin did not recover to its full peg following the incident, as all minting functions were suspended and the protocol was effectively frozen pending a recovery plan.","heading":"R Stablecoin Depeg and Market Impact","severity":"critical","sources":[{"credibility":2,"name":"Raft Loses $3.3M in Hack, R Stablecoin Down 50% — Bankless Times","type":"news_article","url":"https://www.banklesstimes.com/news/2023/11/11/raft-loses-dollar33m-in-hack-r-stablecoin-down-50percent/"},{"credibility":2,"name":"Raft platform suffers $3 million hack amid stablecoin depeg issues — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/raft-defi-platform-hack-stablecoin-depeg/"},{"credibility":1,"name":"Raft Suffers $3.3M Exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2023/11/10/defi-platform-raft-suffers-33m-exploit-but-hacker-likely-takes-a-loss-on-the-attack"}]},{"content":"Immediately following the exploit, Raft paused all smart contract interactions including minting to prevent further losses. The team filed a police report and stated it was cooperating with law enforcement, centralized exchanges, and blockchain analytics firms to identify the attacker. On November 11, 2023, the protocol issued an official post-mortem and announced it was developing a recovery plan for affected users. A revised recovery plan was published on November 17, 2023, which set a recovery rate of approximately 42% for affected users and liquidity providers, including LPs on Aerodrome. Co-founder David Garai stated the team intended to use protocol-owned sDAI in the PSM to partially compensate users. The official post-mortem acknowledged the exploited contracts had been audited and described the precision loss issue as the primary root cause. Following the incident and recovery plan, the protocol remained suspended, with the team indicating the current version of Raft would be phased out.","heading":"Protocol Response and Recovery Plan","severity":"high","sources":[{"credibility":1,"name":"Raft Security Incident: Post-Mortem Analysis and Recovery Plan — Mirror.xyz (Official)","type":"official","url":"https://mirror.xyz/0xa486d3a7679D56D545dd5d357469Dd5ed4259340/_Nk6_1_VvInyC0pdvHiZuAXiqm6tYSsGYGHSfOhcO1I"},{"credibility":1,"name":"Revised: Raft Recovery Plan (17 November 2023) — Raft Governance Forum","type":"official","url":"https://forum.raft.fi/t/revised-raft-recovery-plan-17-november-2023/256"},{"credibility":2,"name":"Raft Finance floats user bailout plan after odd exploit — Blockworks","type":"news_article","url":"https://blockworks.com/news/exploit-ether-defi-protocol"},{"credibility":2,"name":"Raft halts stablecoin minting following security breach — Crypto.news","type":"news_article","url":"https://crypto.news/raft-halts-stablecoin-minting-security-breach/"}]},{"content":"Raft Protocol was developed by Tempus Labs and launched on Ethereum as an over-collateralized stablecoin protocol in the LSDfi (liquid staking derivative finance) sector. It was inspired by the Liquity protocol design and allowed users to mint R, a USD-pegged stablecoin, by depositing LSD collateral such as wstETH (Lido wrapped staked ETH) and cbETH (Coinbase wrapped staked ETH). The protocol offered lower collateralization ratios and interest rates compared to some peers such as MakerDAO, targeting capital efficiency for staked ETH holders. Co-founders identified in connection with the project include David Garai. The protocol's GitHub organization (github.com/raft-fi) hosted its smart contracts and SDK repositories.","heading":"Background and Protocol Design","severity":"low","sources":[{"credibility":3,"name":"All You Need to Know About Raft — Gate.com","type":"other","url":"https://www.gate.com/learn/articles/all-you-need-to-know-about-raft/1113"},{"credibility":2,"name":"Raft Goes after $13 Billion LSDFi Opportunity — The Block","type":"news_article","url":"https://www.theblock.co/post/233388/raft-goes-after-13-billion-lsdfi-opportunity"}]}],"sources_used":[{"name":"Raft Suffers $3.3M Exploit That Drove Down Stablecoin 50%, but Hacker Likely Lost Money on Attack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2023/11/10/defi-platform-raft-suffers-33m-exploit-but-hacker-likely-takes-a-loss-on-the-attack"},{"name":"Raft Security Incident: Post-Mortem Analysis and Recovery Plan — Mirror.xyz","type":"official","url":"https://mirror.xyz/0xa486d3a7679D56D545dd5d357469Dd5ed4259340/_Nk6_1_VvInyC0pdvHiZuAXiqm6tYSsGYGHSfOhcO1I"},{"name":"Revised: Raft Recovery Plan (17 November 2023) — Raft Governance Forum","type":"official","url":"https://forum.raft.fi/t/revised-raft-recovery-plan-17-november-2023/256"},{"name":"Raft Protocol Exploit Nov 10, 2023 Detailed Analysis — ImmueBytes","type":"research","url":"https://immunebytes.com/blog/raft-protocol-exploit-nov-10-2023-detailed-analysis/"},{"name":"Raft exploited for $3.3 million, then hacker screws up — Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/?id=raft-hack"},{"name":"Security Audits Miss Vulnerabilities As Raft Hacked For $6.7M — Crypto Daily","type":"news_article","url":"https://cryptodaily.co.uk/2023/11/security-audits-miss-vulnerabilities-as-raft-hacked-for-67m"},{"name":"Raft Finance floats user bailout plan after odd exploit — Blockworks","type":"news_article","url":"https://blockworks.com/news/exploit-ether-defi-protocol"},{"name":"Latest DeFi exploits show audits are no guarantee — Blockworks","type":"news_article","url":"https://blockworks.co/news/audits-cannot-guarantee-defi-exploits"},{"name":"Hacker Exploits Raft Finance & Stole 1577 ETH Just To Burn It — The Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/hacker-exploits-raft-finance-stole-1577-eth-just-to-burn-it/"},{"name":"Raft platform suffers $3 million hack amid stablecoin depeg issues — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/raft-defi-platform-hack-stablecoin-depeg/"},{"name":"Raft Loses $3.3M in Hack, R Stablecoin Down 50% — Bankless Times","type":"news_article","url":"https://www.banklesstimes.com/news/2023/11/11/raft-loses-dollar33m-in-hack-r-stablecoin-down-50percent/"},{"name":"Raft Goes after $13 Billion LSDFi Opportunity — The Block","type":"news_article","url":"https://www.theblock.co/post/233388/raft-goes-after-13-billion-lsdfi-opportunity"},{"name":"Raft halts stablecoin minting following security breach — Crypto.news","type":"news_article","url":"https://crypto.news/raft-halts-stablecoin-minting-security-breach/"},{"name":"Raft Protocol Compromised: An Analysis of the $3.3M Depegging Hack — Riva North","type":"research","url":"https://rivanorth.com/blog/raft-protocol-hack"}],"summary":"Raft Protocol was an Ethereum-based over-collateralized stablecoin protocol that allowed users to mint R, a USD-pegged stablecoin, against liquid staking derivative (LSD) collateral such as stETH and cbETH. On November 10, 2023, an attacker exploited a precision rounding error in the protocol's share-token minting contract using a flash loan, minting approximately $6.7 million in unbacked R stablecoins and draining roughly $3.3 million worth of ETH from the protocol. In a notable twist, the attacker lost money on the exploit — a coding error in their own attack script sent 1,570 ETH (~$3.25 million) to a burn address, leaving them with a net loss of approximately 4 ETH after gas and flash loan costs.","timeline":[{"date":"2023-01-01","event":"Raft Protocol launched on Ethereum mainnet as an LSDfi over-collateralized stablecoin protocol backed by stETH/cbETH collateral.","source":"The Block","source_url":"https://www.theblock.co/post/233388/raft-goes-after-13-billion-lsdfi-opportunity"},{"date":"2023-11-10","event":"Attacker borrowed 6,000 cbETH via Aave flash loan, donated cbETH to inflate the collateral index in rcbETH-c contract, exploited a precision rounding error (divUp rounding up instead of down) to accumulate inflated share tokens, then redeemed them for cbETH and minted approximately 6.7 million unbacked R stablecoins.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2023/11/10/defi-platform-raft-suffers-33m-exploit-but-hacker-likely-takes-a-loss-on-the-attack"},{"date":"2023-11-10","event":"Attacker sold 6.7 million R tokens into Balancer and Uniswap liquidity pools, netting approximately 1,577 ETH (~$3.3M). A bug in the attacker's exploit script sent 1,570 ETH to a burn address, destroying ~$3.25M irreversibly. Attacker retained only 7 ETH, resulting in a net loss of ~4 ETH after the 18 ETH attack setup cost.","source":"Web3 Is Going Great","source_url":"https://www.web3isgoinggreat.com/?id=raft-hack"},{"date":"2023-11-10","event":"R stablecoin lost its $1 peg, falling approximately 50% to around $0.50–$0.70. Raft paused all smart contract minting operations.","source":"Bankless Times","source_url":"https://www.banklesstimes.com/news/2023/11/11/raft-loses-dollar33m-in-hack-r-stablecoin-down-50percent/"},{"date":"2023-11-11","event":"Raft published official post-mortem identifying precision loss in share token minting as the root cause. Team announced police report filed and cooperation with law enforcement and centralized exchanges.","source":"Mirror.xyz (Raft Official)","source_url":"https://mirror.xyz/0xa486d3a7679D56D545dd5d357469Dd5ed4259340/_Nk6_1_VvInyC0pdvHiZuAXiqm6tYSsGYGHSfOhcO1I"},{"date":"2023-11-17","event":"Raft published revised recovery plan setting a ~42% recovery rate for affected users and LPs, using protocol-owned sDAI from the Peg Stability Module.","source":"Raft Governance Forum","source_url":"https://forum.raft.fi/t/revised-raft-recovery-plan-17-november-2023/256"}]},"v":1}