Ionic Money $8.5 million Exploit : Hack Analysis

Ionic Money, freshly rebranded from Midas after suffering two prior exploits, has fallen victim to yet another DeFi attack—this time through a classic fake collateral scheme. The attackers, posing as members of Lombard Finance, successfully deceived Ionic into listing a fraudulent version of the LBTC token. This deception enabled the exploiters to mint an excessive supply of fake tokens, use them as collateral, and drain the platform’s liquidity pools before disappearing through the Tornado Cash mixer.

This attack resulted in a loss of approximately $8.5 million on the Mode Chain. Despite the severity of the incident, Ionic Money’s response was characterized by vague statements about “sophisticated social engineering,”

Background of Ionic Money

Ionic Money is a DeFi protocol forked from Compound, offering lending and borrowing services across multiple blockchains, including Base, Optimism, Bob, Fraxtal, Lisk, and Mode. This latest attack occurred on the Mode Chain, exploiting the project’s failure to verify the authenticity of collateral assets before allowing them to be used in lending pools.

Attack Breakdown and Incident Analysis

Step 1: Creation of Fake LBTC

The attacker began by minting 60 LBTC to obtain 300 ionLBTC. However, upon further investigation, after notice that the attacker had originally minted 250 LBTC before executing the exploit.

- Minted 250 LBTC: Transaction Link

Step 2 Upon inspecting the LBTC contract, a critical flaw was identified: the contract’s Bascule address was set to 0x00000000000000000000000000000000000000000000. The Bascule component is supposed to serve as an on-chain verification system, preventing unauthorized minting of tokens.

???Step 3 ? However, since no actual contract was assigned to Bascule, the attacker could freely mint LBTC without any verification or restriction. Among them, the implementation of _confirmDeposit is as follows:

With the freshly minted fake LBTC in hand, the attacker deposited it into Ionic Money’s lending pool, receiving ionLBTC in return.

• Supply LBTC to Ionic Money: Transaction Link

Step 3: Draining the Liquidity Pools

Since Ionic Money failed to verify the authenticity of LBTC before listing it as a collateral asset, the attacker was able to use the fake tokens to borrow other valuable assets, including:

• MBTC
• uniBTC
• wrsETH
• WETH
• STONE
• Borrow Everything (Example Transaction): Transaction Link

The attacker then swiftly laundered the stolen funds using Tornado Cash, leaving Ionic Money’s liquidity pools completely drained.

Root Cause Analysis

The fundamental flaw in Ionic Money’s security was its failure to verify whether LBTC was an officially deployed contract before integrating it into the lending pool. This oversight allowed the attacker to introduce a fake token and systematically extract all available funds.

Key security lapses include:

1. No Contract Verification: Ionic Money did not confirm the legitimacy of LBTC’s smart contract before adding it as an accepted collateral asset.
2. Absence of Bascule Enforcement: The LBTC contract lacked a valid Bascule verification mechanism, allowing unrestricted minting.
3. Insufficient Risk Management: Ionic Money failed to implement adequate security measures to detect and prevent such an exploit before it could escalate.

Conclusion

The Ionic Money exploit is a textbook example of how failing to verify collateral assets can lead to catastrophic financial losses. The attacker exploited fundamental weaknesses in the LBTC contract and Ionic Money’s verification process, leading to an $8.5 million loss.

Key Exploit Details:

• Exploiter Address: 0x9E34d89C013Da3BF65fc02b59B6F27D710850430
• Fake LBTC Contract: 0x964dd444e3192f636322229080a576077b06fba3
• Attack Transactions: