$80M Lost in Attack on Rari Capital
Rari Capital’s Fuse lending pools were targeted this morning.
- Rari Capital and Fei Protocol have been affected today by another major exploit.
- A hacker stole about $80 million from Rari’s Fuse lending pools early Saturday.
- The Fei team is offering the hacker a $10 million bounty to return the funds.
Share this article
The Fei team is offering a $10 million bounty for the safe return of the funds.
Rari Hacker Steals $80M
The DeFi space has been hit by another major exploit. This time, Rari Capital and Fei Protocol are affected.
On-chain data shows that a hacker stole about $80 million from Rari’s Fuse lending pools early Saturday.
Continuing a trend seen in many other DeFi attacks over the past year, the hacker exploited what’s known as a reentrancy bug, a form of smart contract exploit that essentially allows an attacker to trick a protocol into letting them withdraw an excess supply of tokens they don’t actually own.
Rari’s Fuse pools run on Ethereum’s sprawling DeFi ecosystem. They offer a way to create isolated lending markets for all kinds of tokenized assets, something that isn’t offered by many other larger, more liquid lending protocols. One of Fuse’s key users is Fei, another DeFi protocol that’s best known for creating the FEI stablecoin. Fei supplies FEI to Fuse’s lending markets in order to increase its liquidity and make the stablecoin more robust. Due to their close relationship, the two projects recently completed a merger.
The Fei team took to Twitter to announce the hack shortly after it occurred, saying it had identified an exploit in its Rari Fuse pools and paused its borrowing feature. It also offered the hacker a $10 million bounty in exchange for the safe return of the funds. According to a Discord message from Fei’s Joey Santoro, a post-mortem report will follow in the near future.
The blockchain analytics firm PeckShield also confirmed the attack in a tweet, noting that “the old reentrancy bug bites again.”
As is often the case in incidents such as this one, the attacker has already begun funneling funds through Tornado Cash, an Ethereum-based mixer that helps users preserve privacy by obfuscating their transaction history. At press time, their Ethereum wallet still contains just under 22,673 ETH worth around $63.75 million.
DeFi Attacks Continue
Today’s incident is only the latest in a series of multi-million dollar DeFi hacks over recent months. As Ethereum is the main hub for DeFi today, it’s become a hotbed for such attacks courtesy of Solidity-native opportunists that know how to read poorly-written code. Solidity is Ethereum’s coding language, but very few people in the world are familiar with it. That means that decent auditing can be hard to come by, and those who can audit can get away with charging a small fortune.
Interestingly, the biggest DeFi hacks often occur on weekends, possibly because attackers believe that teams will be slower to respond and they’ll have a greater chance of getting away with the crime. Today, only a few hours after the Rari attack, Saddle Finance was hit by a similar eight-figure exploit. And on Apr. 17, Beanstalk was drained of about $76 million. DEUS Finance was also hit Thursday with the hacker making off with about $13.4 million. Though DeFi is known for its countless hacks, bad actors are increasingly targeting NFT communities like Bored Ape Yacht Club as the prices of sought-after NFTs have skyrocketed. For Web3 users, the endless wave of attacks should serve as a reminder of the risks associated with using Ethereum and still-nascent crypto technology.
Disclosure: At the time of writing the author of this piece owned ETH and several other cryptocurrencies.