CertiK: Rikkei Finance Attacked Due to Lack of Access Control on setOracleData Function

CertiK tweeted that Rikkei Finance was attacked due to a lack of access control on function setOracleData. The attacker changed the oracle to a malicious contract, and then manipulated prices, borrowed funds to then drain $USDC, $BTCB, $DAI, $USDT, $BUSD and $BNB from the contract in successive transactions. The attacker swapped all of those tokens to 2,671 $BNB (about $1.11 million) and then used Tornado Cash to transfer those $BNB out of his address.