Fortress Attack Update and Compensation

4 min readMay 12, 2022

We want to update everyone on the recent exploit that occurred on Fortress on May 8th. As you can imagine, it has been a hectic past couple of days for our team, so we appreciate your continued support and want you to know we are working on a positive resolution.

Fortress.loans was compromised by an oracle manipulation attack that drained all the funds in the protocol, valued at $2.3m during the attack. You can read our initial Twitter thread on the matter here: https://twitter.com/Fortressloans/status/1523495202115051520.

3rd party outlets have also covered the attack

Rekt News https://rekt.news/fortress-rekt/
Crypto Potato https://cryptopotato.com/fortress-protocol-hacked-for-3-million-drained-of-all-funds/

In short, the exploiter purchased a large amount of FTS, the governing token for Fortress. The amount of FTS now held by the exploiter was higher than the governance threshold to execute a governance proposal with 400,000 FTS. This enabled the exploiter to propose and pass protocol changes. This individual passed proposal FIP 11, which changed the collateral factor of FTS tokens from 0 to 70%. This means a user that supplies $1,000 of FTS and enables FTS as collateral can borrow up to $700 of assets from Fortress.

The exploiter then manipulates the Umbrella FTS price oracle used by the loan contract to update the token’s price. With these changes made, the exploiter’s FTS oracle value increased to nearly $1 trillion and used that as leverage to borrow all of the tokens from the ftoken contracts, worth at the time of attack $2.3 million using this transaction: https://bscscan.com/tx/0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf

https://twitter.com/peckshield/status/1523513855976128512?s=20&t=fUvF_NcvKKxpx7n209mM0A

The attacker also attacked the oracles of Maha DAO and steals about $700,000.

All assets on Fortress at the time of the attack are secured by Chainlink oracles except the FTS token.

List of Stolen Fortress Assets

The stolen tokens were converted to 1,048.1 ETH & 400,000 DAI, worth over $3 million at the time. The stolen funds were deposited into Tornado Cash from this address: https://etherscan.io/address/0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad

As soon as our team realized the exploit, we immediately published an announcement and reached out to Binance, Umbrella, and BitMart to alert them of the hack. Unfortunately, none of the original tokens have yet been recovered from the hack.

Exploit Compensation

We already have over $1 million lined up for compensation to those who lost their liquidity in the hack.

Umbrella will provide a $1,000,000 compensation to Fortress. The compensation is paid in USDC and 10,000,000 UMB tokens. At the time of writing the UMB tokens have a value of $0.05 each.

UMB Coin Market Cap: https://coinmarketcap.com/currencies/umbrella-network/

$300,000 USDC will be dispersed immediately to the Jetfuel Team to be used for compensation. An additional $200,000 will be deployed in the event any lost funds are not recoverable.

Umbrella will also provide 10,000,000 UMB tokens on a one-year linear vesting schedule. In the event UMB tokens reach $0.18 the entire amount of stolen funds can be reimbursed. UMB distributions to Fortress will begin in approximately 1 week.

The remainder of the compensation will be funded through JetFuel ecosystem revenue through project expansions, IJO revenue, DEX revenue, partnerships, and treasury investments. The Jetfuel team will work to compensate as fast as possible.

Umbrella Strategic Partnership

Immediately after the exploit was announced, Umbrella issued patches to update and fix the unsecured oracle.

Umbrella and Fortress will enter a strategic partnership to drive both value to the Fortress and Umbrella Ecosystem. Given that Fortress is one of the largest UMB holders, both projects are incentivized to ensure the UMB token value grows. Umbrella is pursuing some strategic options to strengthen its oracle, focus on key areas and revamp its engineering process.

How the compensation will be allocated

The compensation will be deployed into the ftoken markets providing immediate liquidity to the Fortress protocol. Each injection of liquidity will be divided proportionally to the amount stolen from the protocol.

For example- The first $300,000 compensation payment will be used to buy all the stolen assets and deposited into each ftoken market proportionally to the amount that was stolen.

What’s Next?

Here are the next steps that our team is currently working on:

Update Fortress Governance to remove FTS collateral factor: https://bsc.fortress.loans/vote/proposal/12 (in progress)
Restart the Fortress protocol to allow lenders and borrowers to safely interact with Fortress. (May 13th/May 14th)
Prepare and deploy compensation (ongoing)
Follow up with the security analysis firms we have reached out to and find more firms that specialize in Tornado Cash tracking (in progress)
Remove on-chain governance with a FIP (FIP May 16/17th)
Reach out to all CEXs to alert them regarding the stolen funds (completed)

Our team is working diligently to secure compensation for those affected and ensure that a hack like this will never happen again. We appreciate your continued support and will update you as progress moves forward.

Quick Links:

Fortress Website: https://fortress.loans/
Telegram: https://t.me/jetfuelfinance
Twitter: https://twitter.com/Jetfuelfinance