Earlier today, ~392k USDC from SiloFinance's managed soUSDC vault on Arbitrum was forcibly allocated into the wstUSR/USDC market, leaving bad debt.
wstUSR was trading at ~$0.12 onchain, but the Silo market's oracle priced it at 1 wstUSR = 1.1329 USDC. Anyone who bought wstUSR cheaply could use it as collateral worth ~10x its real value.
The exploiter called deposit() on the wstUSR market directly, donating the shares to soUSDC. The supply cap controlling how much soUSDC can actively allocate to this market was 0, but that cap only governs the vault's own outbound deposits. It does nothing to stop external parties from crediting positions to the vault.
Each attack loop: (1) Flash-loan USDC. (2) Deposit the bulk of USDC to soUSDC. (3) Deposit a small amount to the wstUSR market directly, donate shares to soUSDC. (4) Borrow that USDC back using cheap wstUSR at the inflated oracle price. (5) Redeem the soUSDC shares — totalAssets() now includes the gifted position, so shares are worth more. (6) Walk away with profit.
Each loop was limited by how much wstUSR the attacker had, so between loops they kept buying more on the open market — driving wstUSR from ~$0.12 to ~$0.75. The loop ran 32 times over ~75 minutes.
soUSDC depositors are now exposed to ~392k of undercollateralised debt at 100% utilisation. SiloVault is forked from Morpho's MetaMorpho contract. Any MetaMorpho/SiloVault-style vault that counts externally credited market balances in totalAssets() and relies on a stale or structurally incomplete pricing path can be exposed to this same class of attack.
