The latest decentralized finance (DeFi) protocol to suffer at the hands of a malicious actor is Rari Capital, which lost over $10 million in a weekend exploit.
On May 9, Rari published a post mortem on the attack explaining how an attacker managed to drain its Ethereum pool of 2,600 ETH. The report confirmed that the loss equated to 60% of all user funds in the Rari Capital Ethereum Pool, valued at around $10 million at the time.
Rari is an automated yield farming platform that rebalances pools and funds to source the best yielding strategies across the DeFi ecosystem. As of May 1, DeFi Llama was reporting a TVL of $90 million, but that had fallen by $8 million on May 10 according to Rari itself.
The incursion, which occurred on May 8, is the latest in a long string of DeFi exploits, including the EasyFi exploit on April 20.
Outsmarting the DeFi smart contract
The post mortem explained that Rari uses Alpha Finance’s ibETH token as one of its yield-generating strategies for ETH deposits.
According to Alpha Finance, the function to calculate the total amount in the pool was manipulated from within the smart contract to call other functions from Rari’s ETH pool contract. This enabled the attacker to deposit ETH, which was gained from a dYdX flash loan, and repeatedly withdraw more than was actually in the pool.
Rari Capital Ethereum Pool’s balances were artificially inflated through the vulnerability enabling the attacker to make off with the loot and drain the pool. Rari commented that the code had been audited but this vulnerability was overlooked.
“The code exploited was audited by Quantstamp, but, unfortunately, they were not aware of these conditions either.”
It added that further security measures will be implemented in the future and there is another audit planned with OpenZeppelin.
Compensation from developer fund
In a May 10 update, Rari Capital founder Jai Bhavnani stated that there was a plan to use some of the developer funds in order to recompense the victims.
Around 2 million Rari Governance Tokens (RGT) were allocated to protocol contributors and ecosystem expansion. However, following a vote, it was decided to channel this into a compensation fund.
“While it was indeed initially meant to scale the team, all of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room.”
RGT prices plunged over 40% following the attack but have managed to recover a little to trade at $14 at the time of press.