May 11th, 2021
On May 8, 2021, Rari Capital, a DeFi project, was the victim of a smart contract hack. The attacker stole approximately $11 million worth of tokens from the project, which is approximately 60% of all of the user funds invested in the project.
Like the recent Spartan Protocol hack, the attack against Rari Capital took advantage of how liquidity shares were calculated by a smart contract within the project.
Rari Capital had set up an Ethereum Pool on their platform, which stored ETH and provided interest-bearing tokens in exchange.
The Ethereum Pool in question was linked to Alpha Finance and deposited ETH into Alpha Finance’s ibETH token for yield generation. When setting up this contract, the Rari Capital team was unaware of two features of the Alpha Finance ibETH pool:
The attacker took advantage of these two factors to perform their attack. Using the ibETH.work function, they inflated the value of ibETH within Rari Capital’s pool by inflating the value of ibETH.totalETH. They then called the withdrawal function of the Rari Capital Ethereum pool, extracting more ETH than they initially deposited due to this inflated value. This allowed them to drain the pool of value contributed by other Rari Capital users.
The Rari Capital hack demonstrates the lengths that attackers are willing to go to exploit DeFi protocols and carry out their attacks.
In this case, the attacker took advantage of a couple of subtle details regarding how Alpha Finance’s contracts work to carry out their attack. Without the ability to manipulate the total ETH value or call other contracts within ibETH.work, this attack would not have been possible.
Like the Spartan Protocol hack, this incident underscores the importance of double-checking how liquidity share calculations are performed in DeFi protocols. Although the ratio of deposited value to total token supply should be invariant, attackers have demonstrated multiple times that these values can be eliminated.
As a result of this hack, Rari Capital plans to undergo additional security audits of their contracts. While the contracts were previously audited by Quantstamp, engaging multiple auditors with different perspectives can help with ferreting out these complex vulnerabilities before they can be exploited by an attacker.