Key Takeaways

  • The hack used a price manipulation attack to trick Rari Capital’s smart contract into misjudging the price of Alpha’s ibETH token.
  • The team has been working with other Ethereum developers to fix the vulnerabilities and has been actively answering community questions.
  • During a community call, Rari’s team announced they were foregoing their token allocation to reimburse users who lost funds in this attack.

Share this article

Following the $11 million hack over the weekend, Rari’s native token crashed from $18 to $10. The team behind the protocol has, however, moved quickly to make victims whole. 

Rari Suffers Weekend Hack, Drops $11M

Rari Capital is a DeFi protocol building optimized yield vaults and offering lending and borrowing on niche tokens. Recently, the team integrated Alpha Finance’s ibETH token, which is an interest-bearing Ethereum token. On May 8, the smart contract in charge of depositing ETH in Alpha Finance’s ibETH pool was hacked.

While the exploit threatened no Alpha funds, liquidity providers (LPs) from the Rari ETH pool lost a combined 2,600 ETH, totaling over $10 million. The hackers artificially inflated the value of the ETH pool on Rari by using a flash loan from dYdX. They then withdrew ETH from the pool using a function that the hackers should not have had access to.

This technique is called an indirect price manipulation attack. It relies on the attacker manipulating the token price using a flash loan to inflate its price during a few brief moments artificially. As the price of the token on the Rari ETH pool is linked to the value of the ibETH held by the protocol, manipulating the price of ibETH influences Rari’s ETH pool token as well.

Mapping of the Rari Capital exploit of May 8. Source: BlockSecTeam.

The attack relied on the “work” function of the ibETH contract being activated by the attackers, something the Rari team didn’t know to be possible. Quantstamp, who audited the contracts, didn’t notice the exploit either. Rari Capital said that, in the future, they would work more closely with the original team whose contract they integrate and have them review the integrations.

While Alpha Finance can’t be blamed for the exploit, if they had reviewed the security of Rari’s integration, they could have spotted the vulnerability. The hackers left a message in a pending transaction claiming that Alpha’s quick reaction saved up to $6 million worth of users’ funds at the time of the hack. No funds on Alpha were stolen.

Alpha Finance were themselves victims of a similar exploit when hackers found a vulnerability in their integration of CREAM’s Iron Bank. The attackers had then taken over $37.5 million worth of funds using a similar flash loan-based price manipulation tactic. The account linked to the hack was also responsible for the recent attack on the BSC project Value DeFi.

The team has gone beyond fixing the above-mentioned bugs too.  All of the protocol contributors decided to forego their token allocation in RGT to reimburse anyone affected by the hack. The 2,000,000 RGT (currently worth over $20 million) have been sent to the DAO in charge of both reimbursing lost funds and rewarding those who helped Rari fight the attack.

Disclaimer: The author held BTC, ETH, and several other cryptocurrencies at the time of writing.

Share this article