Hackers steal over $80m from DeFi platforms, Rari Capital and Fei Protocol

According to the DeFi security firm – BlockSec, Fei Protocol and Rari Capital are the latest victims of the cybersecurity attack that resulted in an $80 million loss.

Continuing a trend seen in many other DeFi attacks over the past year, the hacker exploited what is known as a reentrancy bug – a form of smart contract exploit that essentially allows an attacker to trick a protocol into letting them withdraw an excess supply of tokens they don’t actually own. 

Fei Protocol confirmed the attack on Twitter, saying it had identified an exploit in its Rari Fuse pools and paused its borrowing feature. It also offered the hacker a $10 million bounty in exchange for the safe return of the funds.

The blockchain analytics firm – PeckShield also confirmed the attack in a tweet, noting that “the old reentrancy bug bites again.”

The attacker already funnelled the funds through Tornado Cash, an Ethereum-based mixer that helps users preserve privacy by obfuscating their transaction history.

Rari Capital is a permissionless lending protocol, which allows users create Fuse pools where they can supply and borrow ERC-20 tokens.

Rari’s Fuse pools run on Ethereum’s sprawling DeFi ecosystem. They offer a way to create isolated lending markets for all kinds of tokenised assets.

One of Rari’s key users is Fei. Fei supplies $FEI to Rari’s lending markets in order to increase its liquidity and make the stablecoin more robust. Due to their close relationship, the two projects announced a merger last year. 

Fei Protocol is an algorithmic stablecoin protocol that uses the Protocol Controlled Value (PCV) model to manage its stablecoin, which is pegged against the U.S. dollar. 

The trend of DeFi attacks

DeFi vulnerabilities have come to the fore this year, with nearly $1 billion lost to fraud already in just a little over the first quarter. Almost equalling the $1.3 billion lost in 2021 to DeFi hacks.

The hackers use exploits and phishing to steal millions from platforms and directly from consumers. 

The Rari protocol joins the Ronin Network, Inverse Finance, and Beanstalk, all of which have suffered from exploits this year. In many of these hacks, the Ethereum mixing protocol Tornado Cash has played a key role in helping hackers hide their trails.

The Ronin Attack is the largest in terms of digital assets lost, with the network losing about $625 million in the hack. Notably, US law enforcement has since linked the attack with a North Korean State-funded group called Lazarus.

Yesterday, only a few hours after the Rari attack, Saddle Finance was also hit by a similar seven-figure exploit.

On April 17, Beanstalk was drained of about $76 million. Also, last Thursday, DEUS Finance was hit, with the hacker making off with about $13.4 million. 

The theft defects prevalent in the crypto sector, especially DeFi, led to the IMF Report Technext published last month which calls for regulations of DeFi. It worries that its unregulated landscape poses fraud and cyber risks, concerns that have been put forward many times before.

For Web3 users, the endless wave of attacks should serve as a reminder of the risks associated with using Ethereum and the need to be vigilant in navigating the murky waters of the still-nascent blockchain technology.