Ethereum layer-2 network Scroll has postponed its chain finalization process due to a potential bug that could be exploited within its system.
Rho Markets, a lending protocol on the blockchain, noticed suspicious activity on July 19 and halted operations for investigation.
Cyvers Alert, a blockchain security firm, reported a hack of around $7.6 million on Rho Markets’ USDC and USDT pools. The firm stated:
“The root cause of this incident appears to be an oracle access control issue exploited by a malicious actor!”
According to DeBank’s dashboard, the exploiter’s wallet contains 2,203 ETH valued at $7.5 million, along with other assets like Mantle’s MNT, Binance’s BNB, and Fantom’s FTM tokens.
In response, Scroll Network announced a delay in its chain finalization. The project explained:
“After consulting with the Rho Markets team, we took coordinated action. To thoroughly assess the situation, Scroll decided to temporarily postpone chain finalization. We have confirmed that the exploit was specific to the application.”
Scroll’s decision has sparked a debate on the network’s level of decentralization. Critics argue that delaying the chain goes against decentralized principles, while supporters believe it was necessary to safeguard users’ assets.
Andy, the co-founder of The Rollup, shared his perspective:
“Until we achieve near-maximal decentralization, I believe pausing state finalization to prevent user asset loss is the right move, especially for an innovative ecosystem project. However, I am uncertain about Scroll’s censorship resistance in light of this incident.”
Whitehat hacker?
Meanwhile, the attacker has indicated a willingness to return the stolen funds, leading to speculation that the act might be considered whitehat behavior.
Blockchain investigator ZachXBT shared on-chain messages that show the attacker’s intention to return the funds. The message reads:
“Hello RHO team, our MEV bot took advantage of your price oracle misconfiguration. We acknowledge that the funds belong to users and are prepared to return them in full. However, we request that you acknowledge this as a misconfiguration, not an exploit or hack. Please also outline how you plan to prevent such incidents in the future.”
Interestingly, on-chain data reveals that the attacker’s address is associated with various centralized crypto exchanges, including Binance, Gate, KuCoin, and OKX.