A recent integration with another DeFi protocol Rari Capital to an $11 million hack. Now, they’re paying victims back.
Key Takeaways
The hack used a price manipulation attack to trick Rari Capital’s smart contract into misjudging the price of Alpha’s ibETH token.
The team has been working with other Ethereum developers to fix the vulnerabilities and has been actively answering community questions.
During a community call, Rari’s team announced they were foregoing their token allocation to reimburse users who lost funds in this attack.
Following the $11 million hack over the weekend, Rari’s native token crashed from $18 to $10. The team behind the protocol has, however, moved quickly to make victims whole.
Rari Suffers Weekend Hack, Drops $11M
Rari Capital is a DeFi protocol building optimized yield vaults and offering lending and borrowing on niche tokens. Recently, the team integrated Alpha Finance’s ibETH token, which is an interest-bearing Ethereum token. On May 8, the smart contract in charge of depositing ETH in Alpha Finance’s ibETH pool was hacked.
While the exploit threatened no Alpha funds, liquidity providers (LPs) from the Rari ETH pool lost a combined 2,600 ETH, totaling over $10 million. The hackers artificially inflated the value of the ETH pool on Rari by using a flash loan from dYdX. They then withdrew ETH from the pool using a function that the hackers should not have had access to.
This technique is called an indirect price manipulation attack. It relies on the attacker manipulating the token price using a flash loan to inflate its price during a few brief moments artificially. As the price of the token on the Rari ETH pool is linked to the value of the ibETH held by the protocol, manipulating the price of ibETH influences Rari’s ETH pool token as well.
The attack relied on the “work” function of the ibETH contract being activated by the attackers, something the Rari team didn’t know to be possible. Quantstamp, who audited the contracts, didn’t notice the exploit either. Rari Capital said that, in the future, they would work more closely with the original team whose contract they integrate and have them review the integrations.
While Alpha Finance can’t be blamed for the exploit, if they had reviewed the security of Rari’s integration, they could have spotted the vulnerability. The hackers left a message in a pending transaction claiming that Alpha’s quick reaction saved up to $6 million worth of users’ funds at the time of the hack. No funds on Alpha were stolen.
The hacker has left a base64-encoded message saying
Alpha Finance were themselves victims of a similar exploit when hackers found a vulnerability in their integration of CREAM’s Iron Bank. The attackers had then taken over $37.5 million worth of funds using a similar flash loan-based price manipulation tactic. The account linked to the hack was also responsible for the recent attack on the BSC project Value DeFi.
The team has gone beyond fixing the above-mentioned bugs too. All of the protocol contributors decided to forego their token allocation in RGT to reimburse anyone affected by the hack. The 2,000,000 RGT (currently worth over $20 million) have been sent to the DAO in charge of both reimbursing lost funds and rewarding those who helped Rari fight the attack.
Disclaimer: The author held BTC, ETH, and several other cryptocurrencies at the time of writing.
Disclaimer Read More Read Less
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.