Ethereum DeFi Project R0AR Suffers $780,000 Loss Due to Contract Backdoor

According to PANews, Web3 security firm GoPlus reported on the X platform that the Ethereum-based DeFi project R0AR experienced a security breach on April 16, resulting in a theft of approximately $780,000. The incident was attributed to a backdoor in the project's contract. The project team released an incident report today, stating that the stolen funds have been recovered, although the addresses and transaction hashes have not yet been disclosed. This incident serves as a reminder for users to be cautious of backdoor contracts, specifically warning against interacting with contract 0xBD2Cd7. The R0ARStaking contract was found to have a backdoor from the time of its deployment. A malicious address, 0x8149f, was pre-configured with a significant amount of $1R0R tokens available for extraction. The attacker initially conducted small deposit() and harvest() transactions to prepare for a malicious EmergencyWithdraw() operation. According to the contract's code logic, since the rewardAmount exceeded the r0arTokenBalance (the contract's balance), the rewardAmount was set to the contract's token balance. Consequently, all tokens within the contract were transferred to the malicious address 0x8149f. Similarly, all LP tokens from the LP Token contract were also transferred to the same address. Finally, the userInfo.amount was set to zero. The userInfo in the contract is a mapping structure, with its address dynamically calculated using the key (uid and msg.sender) hash. This suggests that the backdoor was premeditated, with the malicious address calculated before the contract's deployment.