Spate of Exploits Snares Rari Capital and Saddle Finance for $90M

While all eyes were on Yuga Labs’ Otherside mint over the weekend, the malicious actors that prowl DeFi didn’t take any time off.

In the early hours of Apr. 30, decentralized lending protocol Rari Capital was hit by a re-entrancy attack, resulting in a loss of $80M worth of Ether from the protocol’s Fuse lending pools.

All borrowing was halted once the exploit was flagged by audit firm BlockSec.

A re-entrancy attack refers to a vulnerability in smart contracts that allows an attacker to loop withdrawals inside a legitimate transaction. DeFi security firm Hacxyk released an analysis of the exploit shortly after it occurred.

Rari Capital is a fork of DeFi mainstay Compound Finance, whose codebase contains a widely known re-entrancy bug that has been repeatedly exploited. According to Hacxyk, security researchers flagged this issue two months ago and Rari patched the vulnerability by adding a global re-entrancy guard and paid out a bug bounty of $2M.

Yet, as we’ve seen numerous times, audits are never an ironclad guarantee of a protocol’s safety given the increasing sophistication of DeFi exploits. All it took in this case was a single smart contract function that remained vulnerable, and the hacker was able to steal $80M.

In addition, a Fuse lending pool on Rari’s Arbitrum deployment was exploited for 100 ETH ($285,000).

$10M Bounty

In December, Rari Capital merged with Fei protocol, a decentralized algorithmic stablecoin. Fei overcame some early challenges and is now the 11th largest stablecoin with a market capitalization of $567M.

The project has offered a bounty of $10M to the hacker if the stolen funds are returned.

According to a Twitter Space held on May 2, the community will decide on the next steps and whether Fei’s reserves should be used to reimburse users who lost funds. The team also indicated that security will be given priority over expansion.

Frax Finance founder Sam Kazemian attended the Space and confirmed that Frax lost eight figures in the exploit, but remains supportive of Fei, Rari and the Tribe DAO (which governs the Fei protocol). He emphasized that professional handling of the exploit and its aftermath would be the key to restoring confidence.

This isn’t the first exploit to hit Rari. In May 2021, $10M was stolen from the protocol’s Ethereum pool.

Saddle Struck by Exploit

Rari wasn’t the only target of hackers last weekend. Saddle Finance, a protocol for swapping stablecoins, was exploited to the tune of 3,375 ETH ($10M).

It was a busy day for BlockSec, who alerted the Saddle team and were able to rescue $3.8M of assets. The security firm told The Block that it was able to do this using a system that can detect and front-run hacking incidents using off-chain arbitrage bots called flashbots.

A governance proposal is currently being voted on by the Saddle community to pay BlockSec a bounty of $380K, roughly 10% of the funds recovered.

Audit firm SlowMist tweeted an analysis of the exploit, and the cause seems to be an outdated code library. Their findings echoed those of Peckshield.