Rari Capital Details $10M DeFi Hack in Post Mortem

Share Article
In Brief
The Trust Project is an international consortium of news organizations building standards of transparency.

The latest decentralized finance (DeFi) protocol to suffer at the hands of a malicious actor is Rari Capital, which lost over $10 million in a weekend exploit.



On May 9, Rari published a post mortem on the attack explaining how an attacker managed to drain its Ethereum pool of 2,600 ETH. The report confirmed that the loss equated to 60% of all user funds in the Rari Capital Ethereum Pool, valued at around $10 million at the time.

Rari is an automated yield farming platform that rebalances pools and funds to source the best yielding strategies across the DeFi ecosystem. As of May 1, DeFi Llama was reporting a TVL of $90 million, but that had fallen by $8 million on May 10 according to Rari itself.



The incursion, which occurred on May 8, is the latest in a long string of DeFi exploits, including the EasyFi exploit on April 20.

Outsmarting the DeFi smart contract

The post mortem explained that Rari uses Alpha Finance’s ibETH token as one of its yield-generating strategies for ETH deposits.

According to Alpha Finance, the function to calculate the total amount in the pool was manipulated from within the smart contract to call other functions from Rari’s ETH pool contract. This enabled the attacker to deposit ETH, which was gained from a dYdX flash loan, and repeatedly withdraw more than was actually in the pool.

Rari Capital Ethereum Pool’s balances were artificially inflated through the vulnerability enabling the attacker to make off with the loot and drain the pool. Rari commented that the code had been audited but this vulnerability was overlooked.

“The code exploited was audited by Quantstamp, but, unfortunately, they were not aware of these conditions either.”

It added that further security measures will be implemented in the future and there is another audit planned with OpenZeppelin.

Compensation from developer fund

In a May 10 update, Rari Capital founder Jai Bhavnani stated that there was a plan to use some of the developer funds in order to recompense the victims.

Around 2 million Rari Governance Tokens (RGT) were allocated to protocol contributors and ecosystem expansion. However, following a vote, it was decided to channel this into a compensation fund.

“While it was indeed initially meant to scale the team, all of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room.”

RGT prices plunged over 40% following the attack but have managed to recover a little to trade at $14 at the time of press.


All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Share Article

Martin has been covering the latest developments on cyber security and infotech for two decades. He has previous trading experience and has been actively covering the blockchain and crypto industry since 2017.

Follow Author

$200 reward waiting for you — Deposit, Trade, Follow and Claim today!


Limited offer! Learn to mine and trade crypto today for free