Shadow Arena #014: Raft Finance

Raft was the closest real-world Liquity V1 fork shipped in production — a true PositionManager / R-stablecoin / liquidation architecture, but with stETH (and later cbETH, wstETH) as collateral instead of plain ETH. It was audited by Hats Finance in a May 2023 competition (3 H + 4 M + 11 L) and by Trail of Bits in parallel. Then in November 2023 it was exploited for ~$6.7M worth of unbacked R via a share-rounding bug in the indexed collateral-share token that neither audit caught. This entry is the rare case where the most important lesson is what the audits did NOT find. We give you the pre-exploit audit findings to hunt first — multi-collateral redemption asymmetries, oracle deviation math, self-redemption debt drift, leverage-router collateral leaks. Find them, score them, build the auditor mindset. Then we give you a separate post-exploit tier: the precision bug that actually drained the protocol, with full forensic walkthrough of the rounding direction, the index-manipulation primitive, and the donate-and-liquidate setup the attacker used. The framing is not 'the auditors missed it, here's the gotcha.' Hats Finance and Trail of Bits are both serious firms, and share-rounding bugs against an attacker-controlled index are one of the hardest classes of CDP bug to catch — Balancer, Onyx, and several other protocols have lost funds to the same arithmetic shape. The framing is: you've just built the Liquity V1 share/index math in Section 12 of the Build module; here is what happens when that math is reused with the wrong rounding direction in a multi-collateral fork. Test the boundary case yourself.

Scope (1584 SLOC)

File	SLOC	Description
contracts/PositionManager.sol	731	Core CDP controller — managePosition (open/adjust/close), liquidate, redeemCollateral, fee plumbing. TroveManager + BorrowerOperations rolled into one contract, but multi-collateral (per-collateral ERC20Indexable share tokens for collateral and debt).
contracts/ERC20Indexable.sol	92	Non-transferable share token for collateral and debt tracking. Stores an index; balanceOf returns share×index. The mint() / burn() / setIndex() math is the post-exploit hotspot.
contracts/RToken.sol	102	R, the stablecoin (LUSD analogue). Mint/burn permissioning restricted to PositionManager, plus a per-flash-mint fee path.
contracts/PriceFeed.sol	192	Primary + secondary oracle aggregator. Chainlink primary, Tellor/Redstone fallback. Deviation thresholds, staleness gating, frozen-feed handling.
contracts/SplitLiquidationCollateral.sol	91	Pure-math contract: given (debt, coll, MCR, priceFeed), splits liquidated collateral between liquidator reward, stability-pool offset, and protocol. Liquity's _getOffsetAndRedistributionVals analogue.
contracts/FeeCollector.sol	33	Receives borrowing fees and redemption fees. Trivial in this repo (LQTYStaking-equivalent is external) — but the wiring matters for redemption accounting.
contracts/PositionManagerStETH.sol	81	Wrapper that lets users open positions paying in raw stETH / ETH; the inner PositionManager only sees wstETH. Adds an entry-point attack surface around rebasing-token assumptions.
contracts/OneStepLeverage.sol	262	Leverage router. Flash-mint R, swap to collateral, deposit into PositionManager, mint debt — one atomic call. Adds a separate refund/return path that audits found leaky.

Documentation

Source Code Protocol Docs

Part of the Liquity V1 Path

This shadow audit connects to the Liquity V1 Build module. Students who built the CDP protocol have an advantage because they understand Trove accounting, Stability Pool P/S decay, redistribution liquidations, and redemption-driven peg mechanics.

View Build Module

Duration10 days

Total Findings11

Scope1584 SLOC

PriceFree