Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

A $10 Million 'Bounty' for an $80 Million DeFi Attack

Fei Protocol Offers 'No Questions Asked' Deal to Hacker
A $10 Million 'Bounty' for an $80 Million DeFi Attack
Source: ISMG

Decentralized finance platform Fei Protocol has offered a $10 million "no questions asked" bounty to hackers in an attempt to recover some of the funds stolen from its recently merged decentralized autonomous organization partner Rari Capital.

See Also: 2018 Threat Landscape Report

The funds, it says, were stolen from Rari Fuse, which is a customizable, open interest rate protocol that allows users to lend and borrow digital assets. Even as the company is "still investigating the Fuse exploit alongside security experts," it has currently disabled borrowing.

Neither of the platforms provided details on the amount of funds stolen.

Blockchain security firm BlockSec, however, tells Information Security Media Group that about $80 million was stolen from the platform. Blockchain security firm CertiK also confirms this to ISMG, adding that the hacker is already moving funds to Tornado Cash, a privacy protocol that obfuscates the flow of funds.

Midas Capital, a fork of Rari Capital, has disclosed the technical details of how and why the attack happened. Rari Capital too has offered an explanation of the hack, including the flaw's origins and future steps, and more details have been disclosed on the Rari developer's tweet thread.

Fei Protocol, its founder Joey Santoro, and Rari Capital have not responded to ISMG's request for additional details and comment.

Many cybersecurity professionals, including BlockSec CTO Lei Wu, do not condone the DeFi platforms' move to offer the hackers who stole the funds a bounty.

Wu tells ISMG that members of the security community "do not encourage such a behavior because it seems to be an incentive for the attackers. Such an incentive may not be fair to the real white hats."

Reentrancy Vulnerability

Wu also says the hackers exploited a reentrancy vulnerability to steal the funds. "This is a typical reentrancy vulnerability," he says.

CertiK co-founder Ronghui Gu tells ISMG that a reentrancy attack happens when a hacker is able to exploit a vulnerability in a smart contract to force it to continually mint and send tokens in a transaction to a malicious wallet.

In this case, "this essentially means the hacker was able to initiate a transaction by using ETH as collateral, and then reclaim the deposited ETH without paying back the borrowed funds. This is possible as there was a loophole in the smart contract code whereby the smart contract only updates its balance after sending out the funds. This then creates a window of opportunity for a hacker to call the smart contract again and reinitiate the transaction before its balance has been updated. By deploying this attack on multiple pools, the hacker was able to drain an enormous amount of funds from the protocol," Gu says.

There have been several reentrancy flaw attacks in the past, including many that have resulted in significant losses. This latest one, Wu says, may be the "biggest ever loss in terms of value."

The most famous reentrancy hack was the $60 million to $70 million DAO incident of 2016. Other hacks include, in 2021, a $600 million Grim Finance exploit, a $130 million hack in CREAM.Finance - which was breached three times that year - and a $7.2 million BurgerSwap hack. In 2020, the reentrancy hack of the Lendf.me project caused a loss of around $25 million.

Rari itself was the victim of an $11 million hack in May 2021.

Mitigation and Prevention

Before the deployment of a project's smart contract, a strict code audit is necessary to review the code logic, Wu says. He adds that "different security audit providers with different expertise are recommended."

After the deployment, suspicious on-chain transactions must be monitored and investigated so emergency response may be performed if necessary, he says. And pausing some of the multiple vulnerable pools of Rari/Fei would prevent subsequent attacks if there was timely notification of the first several attacks occurred, Wu adds.

Rari, in its post-attack blog post, shares that it has "ensured that all code in production is scrutinized and goes through an extensive auditing process."

"In response to the identified vulnerability, Rari will be taking a series of enhanced security measures. First, Rari Capital engineers are currently conducting extensive internal reviews of the Fuse codebase," the post says.

Wu also recommends a bug bounty program to ensure that the code is under constant scrutiny for vulnerabilities.

Rari Capital says it and Fei Protocol have already done this. They have merged their respective bug bounties into one joint Tribe DAO bug bounty, the blog post says.


About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.