See More

Rari Capital Details $10M DeFi Hack in Post Mortem

2 mins
Updated by Kyle Baird
Join our Trading Community on Telegram

In Brief

  • Rari Capital lost $10 million over the weekend.
  • Bad actor exploited ETH pool smart contracts.
  • Rari plans to reimburse uses with developer fund tokens.
  • promo

The latest decentralized finance (DeFi) protocol to suffer at the hands of a malicious actor is Rari Capital, which lost over $10 million in a weekend exploit.

On May 9, Rari published a post mortem on the attack explaining how an attacker managed to drain its Ethereum pool of 2,600 ETH. The report confirmed that the loss equated to 60% of all user funds in the Rari Capital Ethereum Pool, valued at around $10 million at the time.

Rari is an automated yield farming platform that rebalances pools and funds to source the best yielding strategies across the DeFi ecosystem. As of May 1, DeFi Llama was reporting a TVL of $90 million, but that had fallen by $8 million on May 10 according to Rari itself.

The incursion, which occurred on May 8, is the latest in a long string of DeFi exploits, including the EasyFi exploit on April 20.

Outsmarting the DeFi smart contract

The post mortem explained that Rari uses Alpha Finance’s ibETH token as one of its yield-generating strategies for ETH deposits.

According to Alpha Finance, the function to calculate the total amount in the pool was manipulated from within the smart contract to call other functions from Rari’s ETH pool contract. This enabled the attacker to deposit ETH, which was gained from a dYdX flash loan, and repeatedly withdraw more than was actually in the pool.

Rari Capital Ethereum Pool’s balances were artificially inflated through the vulnerability enabling the attacker to make off with the loot and drain the pool. Rari commented that the code had been audited but this vulnerability was overlooked.

“The code exploited was audited by Quantstamp, but, unfortunately, they were not aware of these conditions either.”

It added that further security measures will be implemented in the future and there is another audit planned with OpenZeppelin.

Compensation from developer fund

In a May 10 update, Rari Capital founder Jai Bhavnani stated that there was a plan to use some of the developer funds in order to recompense the victims.

Around 2 million Rari Governance Tokens (RGT) were allocated to protocol contributors and ecosystem expansion. However, following a vote, it was decided to channel this into a compensation fund.

“While it was indeed initially meant to scale the team, all of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room.”

RGT prices plunged over 40% following the attack but have managed to recover a little to trade at $14 at the time of press.

Top crypto projects in the US | June 2024



In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

Martin Young
Martin Young is a seasoned cryptocurrency journalist and editor with over 7 years of experience covering the latest news and trends in the digital asset space. He is passionate about making complex blockchain, fintech, and macroeconomics concepts understandable for mainstream audiences.   Martin has been featured in top finance, technology, and crypto publications including BeInCrypto, CoinTelegraph, NewsBTC, FX Empire, and Asia Times. His articles provide an in-depth analysis of...