The monitoring system of DeFi investigator BlockSec identified a loss of more than $80 million, with the main cause being an usual reentrancy vulnerability.
In an attempt to negotiate and reclaim a significant portion of the stolen cash from several Rari Fuse pools valued $79,348,385.61 — nearly $80 million — decentralized banking platform Fei Protocol issued a $10 million bounty to hackers.
On Saturday, Fei Protocol notified its investors of an attack that affected many Rari Capital Fuse pools, proposing that the hackers return the stolen assets in exchange for a $10 million reward and a “no questions asked” guarantee.
We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage.
To the exploiter, please accept a $10m bounty and no questions asked if you return the remaining user funds.
— Fei Protocol (@feiprotocol) April 30, 2022
While the specific damages from the attack were not disclosed, DeFi investigator BlockSec’s monitoring system reported a loss of more than $80 million, indicating an usual reentrancy weakness as the primary cause. While reentrancy flaws have been at the heart of numerous exploits in the DeFi ecosystem, the Fei Protocol’s $80 million bounty makes it one of the most lucrative reentrancy hacks ever.
Rari developer Jack Longarzo discovered six susceptible pools (8, 18, 27, 127, 144, 146, 156) that have been temporarily suspended while an internal patch is being implemented. Rari’s internal and external security engineers are working with DeFi service provider Compound Treasury to investigate and neutralize the attack at the time of writing.
PeckShield, a blockchain investigator, tracked down the attack to a reentrancy issue, which lets hackers to utilize a function to call another untrusted contract.
The old reentrancy bug bites again on Compound forks w/ $80M loss! This time, it re-enters via exitMarket()!!! https://t.co/NpC8AAZRXc
Watch out, all Compound forks in EVM-compliant chains. Get in touch with your auditors now or feel free to contact us if we can be of any help pic.twitter.com/M9JElTWMSd
— PeckShield Inc. (@peckshield) April 30, 2022
The attacker has contributed 5400 Ether (ETH), or $15,298,900 at the time of writing, to Tornado Cash and still has 22,672.97 ETH, or $64,245,245.43 in their wallet, according to security-focused rating site CertiK. The Rari pool has been emptied of cash, whereas the Fei Pools (Tribe, Curve) have remained untouched.
Rari Capital was the victim of a high-priced exploit due to the integration with Alpha Venture DAO, formerly Alpha Finance Lab, on May 8, 2021. The Fei Protocol team has yet to make a formal declaration about the findings of its inquiry as of this writing.
Related: Check out our latest giveaways
Several projects and protocols have opted to beef up their security mechanisms as the crypto community fights hackers in an ever-evolving struggle. Following the $600 million theft earlier this month, the Ronin Network and Sky Mavis announced plans to improve their smart contracts on Thursday.
We have put together a postmortem regarding the Ronin exploit that occurred on March 23rd.
• Why it happened
• What we’re doing to make sure this never happens again
• Ronin bridge re-opening updatehttps://t.co/FfwCtCG84E
— Ronin (@Ronin_Network) April 27, 2022
The FBI blamed the assault on Lazurus, a North Korean-based and state-sponsored hacker gang, and issued a warning to other crypto and blockchain companies.