- Rari Capital was hacked around 9:00 and 9:35 AM UTC on April 30th, where the hacker drained seven of Rari’s Fuse pools for nearly $80M.
Below is a quick overview of this project.
Rari Capital is a DeFi protocol that facilitates lending, borrowing, and creating isolated lending markets with unlimited flexibility.
Firstly, the Compound codebase had a known problem of a broken check-effect-interaction pattern in the borrow function of CToken, aka re-entrancy. However, this would only be exploitable if an underlying asset has a transfer hook. E.g.
Now, the following question Compound has many forks, including Compound itself are not exploited. It is because as long as they check if a token has a transfer hook before adding it to the market, the re-entrancy puzzle is incomplete.
Rari uses a much older codebase that has another problem. Particularly in CEther, It’s using
.call.value()() instead of
.transfer() to send out ETH! This is a re-entrancy pattern because if the receiver is a contract, it can make a call to another/same contract via
receive(). By combining these two, it’s possible to completely transfer all borrowable funds.
2 months ago, Samczsun, Hubert Ritzdorf, and Yannis Smaragdakis reported this issue to Rari. Rari patched it by adding a global re-entrancy guard in all CToken. So that even when there’s a re-rentrancy, one cannot re-enter any other functions. A $2M bounty was awarded.
However, this was proved to be not enough. While the re-entrancy guard protects all state-changing functions in CToken, functions in Comptroller are not. Especially in
Comptroller.exitMarket() makes a deposited asset no longer a collateral so that it can be withdrawn at any time.
Now, we will see how this hack occurred and what steps the hacker used.
- Attacker flashloaned 150,000,000 USDC and 50,000 WETH
- Deposited 150,000,000 USDC as collateral into the fUSDC-127 contract, a vulnerable fork version of the compound protocol.
- With deposited collateral, the attacker borrowed 1,977 ETH via the
borrow()function. It transferred ETH to the attacker’s contract before updating the attacker’s actual borrow records.
- Therefore, with the attacker’s borrow record not updated, the attacker made a reentrant call to
exitmarket()in the fallback function, which allows the attacker to withdraw all his collateral, i.e., 150M USDC
- The attacker repeated steps 1~5 on multiple other tokens.
- Finally, the attacker repaid the flashloan and transferred the rest to their address as profit, and routed some of the funds onward to Tornado Cash.
We would like to credit Hacxyk and CertiK for all this information.
As crypto hacks are increasing nowadays, our readers should stay alert.
Here are some latest hacked Projects our readers should know about: