decrypt.co
An exploit enabled attackers to drain $80 million in crypto from decentralized finance (DeFi) platform Rari Capital’s liquidity pools, according to a tweet today by blockchain and smart contract audit firm BlockSec.
The BlockSec team called the security flaw a “typical reentrance vulnerability,” and tweeted again with a picture displaying the offending code.
Algorithmic stablecoin Fei—the self-touted “Stablecoin for DeFei”—also had contributed liquidity to Rari Capital’s exploited pools. Fei has a market cap of well over half a billion dollars, making it the 11th largest stablecoin, according to data from CoinGecko.
one picture worth a thousand words 🙂 pic.twitter.com/dVxTMMpWZM
— BlockSec (@BlockSecTeam) April 30, 2022
In December, Fei merged with Rari Capital. Rari enables the creation of so-called Fuse Pools—permissionless lending pools—that anyone with a wallet can access from anywhere to lend or borrow ERC-20 tokens. No minimum funds are required of users.
Fei and Rari’s joint effort got off the ground with $2 billion in liquidity.
Fei Protocol acknowledged the exploit on Twitter shortly before BlockSec’s report, saying, “We have identified the root cause and paused all borrowing.” Fei also promised a $10 million bounty to the attackers if they return the stolen funds.
We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage.
To the exploiter, please accept a $10m bounty and no questions asked if you return the remaining user funds.
— Fei Protocol (@feiprotocol) April 30, 2022
Fei is trading a little below its peg, at $0.9895, as of this writing.
$11 million in 2021
This isn’t Rari Capital's first major exploit. In May of last year, a hacker stole 2,600 ETH (worth around $11 million at the time) from Rari Capital users.
At the time, CEO Jai Bhavnani said Rari team members would be sacrificing their RGT allocations and putting them toward the reimbursement. When the companies merged, Fei Protocol assumed some of Rari’s liabilities stemming from that exploit.