Full Report
Float is a currency that tracks digit assets instead of pegging to the dollar. The pool for FLOAT was using Uniswap V3. The price of a pool is calculated based upon the proportional amount of tokens within the pool. For instance, if there are 50 of token A and 10 of token B, then the trading of token A for B would 5:1. In Uniswap V3, there is a TWAP (Time Waited Average Price) for the pricing. This means it's not trivial to manipulate the pool, since the time is a factor. In the previous week, 1M in assets had been taken, leaving 550K total left. Additionally, the price of FLOAT had gone up considerably. The attacker bought 77.5k float using 47ETH. The pool now contains 250K USDC and 5 FLOAT. After waiting a few minutes, the TWAP caught up and the price had drastically changed. The attacker then deposited their overvalued FLOAT to get other assets. Since the FLOAT was overvalued, they were able to make a profit off of this.
Analysis Summary
# Incident Report: Float Protocol TWAP Manipulation Attack
## Executive Summary
Float Protocol experienced a price manipulation attack targeting its Uniswap V3 FLOAT/USDC pool. By exploiting low liquidity and the Time-Weighted Average Price (TWAP) mechanism, an attacker artificially inflated the value of FLOAT tokens to drain other assets from the protocol. The incident resulted in the loss of the remaining pool liquidity following a period of significant TVL (Total Value Locked) decline.
## Incident Details
- **Discovery Date:** Not explicitly stated (Reported via X/Twitter)
- **Incident Date:** Within the last 7 days of the report
- **Affected Organization:** Float Protocol
- **Sector:** Decentralized Finance (DeFi) / Cryptocurrency
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-attack week
- **Vector:** Liquidity Reduction
- **Details:** Approximately $1M in assets were withdrawn from the FLOAT/USDC Uniswap V3 pool, leaving only $550k in total liquidity. This reduced the capital required to manipulate the price.
### Lateral Movement
- **Preparation Phase:** The attacker acquired 77.5k FLOAT tokens using 47 ETH.
- **Manipulation Phase:** The attacker executed trades that skewed the pool ratio to 250k USDC against only 5 FLOAT tokens.
### Data Exfiltration/Impact
- **Date/Time:** Minutes after price manipulation
- **Details:** After waiting for the Uniswap V3 TWAP oracle to update (catch up) to the skewed price, the attacker deposited their now "overvalued" FLOAT tokens into the protocol to collateralize or swap for other valuable assets, effectively draining the protocol's reserves.
### Detection & Response
- **Detection:** Identified via post-incident chain analysis and social media reporting.
- **Response Actions:** Protocol team issued a post-mortem via social media (X) to explain the mechanism of the exploit.
## Attack Methodology
- **Initial Access:** Market purchase of FLOAT tokens.
- **Persistence:** N/A (Smart Contract Exploit).
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of a "wait period" to allow the TWAP (Time-Weighted Average Price) to settle, making the manipulated price appear legitimate to the protocol's internal accounting.
- **Credential Access:** N/A.
- **Discovery:** Identification of low liquidity in the Uniswap V3 pool ($550k remaining).
- **Lateral Movement:** N/A.
- **Collection:** N/A.
- **Exfiltration:** Execution of swaps/loans using artificially inflated FLOAT collateral.
- **Impact:** Oracle Manipulation / Price Lag Exploitation.
## Impact Assessment
- **Financial:** Loss of remaining pool liquidity (~$550k range mentioned prior to final drain).
- **Data Breach:** None (Non-custodial protocol).
- **Operational:** Disruption of the FLOAT token's stable-tracking mechanism.
- **Reputational:** Significant loss of investor confidence due to the perceived fragility of the TWAP mechanism during low liquidity.
## Indicators of Compromise
- **Behavioral indicators:**
- Massive ETH to FLOAT buy orders.
- Extreme USDC/FLOAT imbalance (250k:5) in Uniswap V3 pools.
- Rapid withdrawal of assets immediately following a TWAP update.
## Response Actions
- **Containment:** Monitoring of remaining protocol assets.
- **Eradication:** N/A (Immutable smart contracts).
- **Recovery:** Public disclosure of the incident via X/Twitter to inform the community.
## Lessons Learned
- **Liquidity Sensitivity:** TWAP oracles are not a silver bullet; they can still be manipulated if liquidity is low enough for an attacker to hold a skewed price for the duration of the average window.
- **Threshold Alerts:** Protocols should have alerts for significant drops in TVL (the $1M withdrawal) which serve as precursors to manipulation attacks.
- **Oracle Dependency:** Relying on a single DEX pool for pricing is dangerous when that pool's liquidity fluctuates.
## Recommendations
- **Diversified Oracles:** Supplement Uniswap V3 TWAP with Chainlink or other decentralized oracle aggregators to prevent single-source manipulation.
- **Liquidity Minimums:** Implement "circuit breakers" that pause trading or lending if the underlying liquidity pool depth falls below a secure threshold.
- **Dynamic TWAP Windows:** Adjust the time-weighted window based on current liquidity—longer windows for thinner pools.