April 30, 2022

Loss Exceeds $80M Due to Reentrancy Vulnerability in Contract

On April 30, 2022, according to Beosin EagleEye, FeiProtocol’s Rari Fuse Pool was exploited for about 28,380 $ETH. Beosin security team analyzed the incident and the findings are shown below.



FeiProtocol Introduction

Rari Capital empowers individuals to break free by creating new opportunities, communities and financial products. The official website: https://rari.capital/




Relevant Information

As multiple contracts were exploited, here only one transaction is analyzed here.


Transaction hash:


0xab486012f21be741c9e674ffda227e30518e8a1e37a5f1d58d0b0d41f6e76530


Hacker address:


0x6162759edad730152f0df8115c698a42e666157f


Hacker contract:


0x32075bad9050d4767018084f0cb87b3182d36c45


Victim contract:


0x26267e41CeCa7C8E0f143554Af707336f27Fa051





Exploitation Flow

  1. The hacker first flashloans from Balancer: Vault.



2. Use the funds from the flashloan for collateral lending in Rari Capital due to the existence of reentrancy in Rari Capital’s cEther implementation contract.



The attacker withdraws all the tokens in the pool affected by the protocol by calling back the attack function constructed in the contract.





3. Return the flashlaon and send the profited funds to the 0xe39f contract.






Vulnerability Analysis

This attack mainly exploits a reentrancy vulnerability in Rari Capital’s cEther implementation contract.




Fund Tracing

As of this writing, the stolen funds are estimated to be more than 28,380 ETH (approximately $80.34 million) and currently being deposited to TornadoCash, with the majority still at the hacker’s address.




Summary

In response to this incident, Beosin security team recommends:


1. Use call.value with caution when making ETH transfers. Make sure that reentrancy will not occur.


2. Before the project goes live, it is highly recommended to choose a professional security audit company to conduct a comprehensive security audit to avoid security risks.

If you have need any blockchain security services, please contact us:


Website Email Official Twitter Alert Telegram LinkedIn


Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing




Also, Read













Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin Has Completed Security Audit Service of Alpha Quark: No Critical

    May 05, 2022

  • Monthly Recap: More than 21 Typical Security Incidents Occurred in April 2022

    April 29, 2022

  • 「RECAP」AMA About How to Keep Your Smart Contract Secure During Development With Beosin VaaS

    April 29, 2022

  • DEUS Finance Suffered its Second Flashloan Attack This Year: Beosin’s Detailed Analysis

    April 28, 2022

Join the community to discuss.