Ethereum Layer-2 network Scroll has delayed the chain’s completion due to a potentially exploitable bug in its ecosystem.
On July 19, Rho Markets, a lending protocol on the blockchain, discovered unusual activity and suspended operations to investigate.
Blockchain security firm Cyvers Alert reported a hack of approximately $7.6 million on Rho Markets’ USDC and USDT pools. The company stated:
“The root cause of this incident appears to be an oracle access control by a malicious actor!”
According to DeBank’s dashboard, the operator’s wallet contains 2,203 ETH worth $7.5 million and other assets such as Mantle’s MNT, Binance’s BNB and Fantom’s FTM tokens.
In response, Scroll Network stated that it was delaying the completion of the chain. The project stated:
“After consultation with the Rho Markets team, we have initiated a coordinated response. To thoroughly assess the situation, Scroll decided to temporarily postpone the completion of the chain. We confirmed that the exploit was application specific.”
Meanwhile, Scroll’s decision sparked a debate about the decentralization of the network. Critics argue that delaying the chain contradicts decentralized principles, while supporters believe the move was necessary to protect users’ assets.
Andy, the co-founder of The Rollup, stated:
“Until things are almost completely decentralized, I think pausing state rounding to avoid losing user funds is the right thing to do. Especially an ecosystem project that tries to innovate. However, I don’t know what this says about Scroll’s resistance to censorship.”
White hat hacker?
Meanwhile, the attacker appears willing to return the stolen money, leading to speculation that the incident may be a whitehat act.
On-chain posts shared by blockchain researcher ZachXBT show the attacker’s willingness to return the funds. The message reads:
“Hello RHO team, our MEV bot took advantage of your pricing oracle’s misconfiguration. We understand that the money belongs to users and are willing to return it in full. But first we’d like you to admit that it was a misconfiguration, and not an exploit or hack. Also explain how you can prevent this from happening again.”
On-chain data shows that the attacker’s address is linked to several centralized crypto exchanges, including Binance, Gate, KuCoin, and OKX.
