Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot

Published at: May 1, 2022

Decentralized finance (DeFi) platform Fei Protocol offered a $10 million bounty to hackers in an attempt to negotiate and retrieve a major chunk of the stolen funds from various Rari Fuse pools worth $79,348,385.61 — nearly $80 million.

On Saturday, Fei Protocol informed its investors about an exploit across numerous Rari Capital Fuse pools while requesting the hackers to return the stolen funds against a $10 million bounty and a “no questions asked” commitment.

We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage.To the exploiter, please accept a $10m bounty and no questions asked if you return the remaining user funds.

— Fei Protocol (@feiprotocol) April 30, 2022

While the exact losses from the exploit were not officially released, DeFi investigator BlockSec’s monitoring system detected a loss of more than $80 million — citing the root cause as a typical reentrancy vulnerability. While reentrancy bugs have been the main culprit in many exploits within the DeFi ecosystem, the $80 million loot makes the Fei Protocol exploit one of the largest reentrancy hacks ever.

Upon further investigations, Rari developer Jack Longarzo revealed a total of six vulnerable pools (8, 18, 27, 127, 144, 146, 156) that have been temporarily paused while an internal fix is underway. At the time of writing, Rari’s internal and external security engineers partnered with DeFi service provider Compound Treasury to further investigate and neutralize the hack.

Providing further insights into the development, blockchain investigator PeckShield narrowed down the exploit to a reentrancy bug, which allows hackers to use a function and make external calls to another untrusted contract.

The old reentrancy bug bites again on Compound forks w/ $80M loss! This time, it re-enters via exitMarket()!!! https://t.co/NpC8AAZRXc Watch out, all Compound forks in EVM-compliant chains. Get in touch with your auditors now or feel free to contact us if we can be of any help pic.twitter.com/M9JElTWMSd

— PeckShield Inc. (@peckshield) April 30, 2022

Security-focused ranking platform CertiK told Cointelegraph that the attacker has sent 5400 Ether (ETH), or $15,298,900 at the time of writing, to Tornado Cash and still holds 22,672.97 ETH, or $64,245,245.43 at the time of writing, in their wallet. The attack has drained funds from the Rari pool while the Fei Pools (Tribe, Curve) remain unaffected.

Last year on May 8, 2021, Rari Capital became victim to a high-priced exploit that was related to the integration with Alpha Venture DAO, previously Alpha Finance Lab. At the time of writing, there have been no official announcements from the Fei Protocol team on the results of their investigation.

Related: Plan for $1M bug bounties and double the nodes in wake of $600M Ronin hack

As the crypto community goes through an ever evolving battle against hackers, numerous projects and protocols have decided to amp up their security measures. On Th, the Ronin Network and Sky Mavis revealed plans to upgrade their smart contracts — following the $600 million hack in the previous month.

We have put together a postmortem regarding the Ronin exploit that occurred on March 23rd.• Why it happened• What we're doing to make sure this never happens again• Ronin bridge re-opening updatehttps://t.co/FfwCtCG84E

— Ronin (@Ronin_Network) April 27, 2022

The United States Federal Bureau of Investigation (FBI) attributed the attack to North Korea-based and state-sponsored hacking group Lazurus, as it fired off a warning to other crypto and blockchain organizations.

Tags
Related Posts
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Security firms are making it more difficult for scammers to get away with DeFi project hacks
The rise of community-oriented blockchain security companies may be making it more difficult for alleged bad actors to get away without a trace. Early Wednesday, CertiK issued a community alert regarding Flurry Finance, where its smart contracts were allegedly breached by hackers, leading to $293,000 worth of funds being stolen. Shortly after the incident, CertiK published the wallet addresses of the alleged perpetrator, the address of the malicious token contract, and a PancakeSwap pair address allegedly involved in the attack, leading to a warning issued on BscScan. While the firm audited the project's smart contracts, it appears that the exploit …
Adoption / Feb. 23, 2022
Tribe DAO votes in favor of repaying victims of $80M Rari hack
After months of uncertainty, the Tribe DAO has passed a vote to repay affected users of the $80 million exploit on decentralized finance (DeFi) platform Rari Capital's liquidity pools. Following several rounds of voting and governance proposals, Tribe DAO, which consists of Midas Capital, Rari Capital, Fei Protocol and Volt Protocol, took the decision to a vote on Sept. 18 with the intent to fully reimburse hack victims. Data from on-chain voting platform Tally shows that 99% of those who voted were in favor and the proposal was executed on Sept. 20. According to the description underneath the voting data, …
Blockchain / Sept. 22, 2022
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022
Lack of liquidity mitigated damages to BonqDAO exploit: Report
According to blockchain security firm CertiK, the damage caused to decentralized protocol BonqDAO on Feb. 1 may have been much less than initially thought. As told by CertiK, the attacker first borrowed 100 million BEUR, a euro stablecoin, with less than $1,000 in collateral due to a lack of controls on the collateralization ratio. If users set the parameter to zero, then the platform defaults to returning the "maximum value of uint256," allowing an astronomical sum of loans to be issued. However, CertiK said that despite the attacker borrowing 100 million BEUR (around $120 million at the time of attack), …
Blockchain / Feb. 2, 2023