The assault occurred after Tender.fi upgraded its value feed to relay knowledge from a Chainlink pricing oracle versus a time-weighted common value (TWAP). Tender.fi’s code, which was audited by PeckShield, contained an error and returned a quantity with too many zeros behind it. That meant the attacker was capable of deposit one GMX token, value round $70, successfully tricking the system into permitting infinite borrows, in line with a postmortem printed on Tender.fi’s Medium web page. There was no difficulty with the Chainlink oracle itself.
