April 30, 2022

Loss Exceeds $80M Due to Reentrancy Vulnerability in Contract

On April 30, 2022, according to Beosin EagleEye, FeiProtocol’s Rari Fuse Pool was exploited for about 28,380 $ETH. Beosin security team analyzed the incident and the findings are shown below.

FeiProtocol Introduction

Rari Capital empowers individuals to break free by creating new opportunities, communities and financial products. The official website: https://rari.capital/

Relevant Information

As multiple contracts were exploited, here only one transaction is analyzed here.

Transaction hash:


Hacker address:


Hacker contract:


Victim contract:


Exploitation Flow

  1. The hacker first flashloans from Balancer: Vault.

2. Use the funds from the flashloan for collateral lending in Rari Capital due to the existence of reentrancy in Rari Capital’s cEther implementation contract.

The attacker withdraws all the tokens in the pool affected by the protocol by calling back the attack function constructed in the contract.

3. Return the flashlaon and send the profited funds to the 0xe39f contract.

Vulnerability Analysis

This attack mainly exploits a reentrancy vulnerability in Rari Capital’s cEther implementation contract.

Fund Tracing

As of this writing, the stolen funds are estimated to be more than 28,380 ETH (approximately $80.34 million) and currently being deposited to TornadoCash, with the majority still at the hacker’s address.


In response to this incident, Beosin security team recommends:

1. Use call.value with caution when making ETH transfers. Make sure that reentrancy will not occur.

2. Before the project goes live, it is highly recommended to choose a professional security audit company to conduct a comprehensive security audit to avoid security risks.

If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin Has Completed Security Audit Service of Alpha Quark: No Critical

    May 05, 2022

  • Monthly Recap: More than 21 Typical Security Incidents Occurred in April 2022

    April 29, 2022

  • 「RECAP」AMA About How to Keep Your Smart Contract Secure During Development With Beosin VaaS

    April 29, 2022

  • DEUS Finance Suffered its Second Flashloan Attack This Year: Beosin’s Detailed Analysis

    April 28, 2022

Join the community to discuss.