Rari Capital / Fei Protocol Hack — April 30, 2022
What Happened
On the early morning of April 30, 2022, Rari Capital's Fuse lending pools and Fei Protocol were hit by a $80M+ reentrancy attack. This was the largest DeFi exploit at the time of occurrence.
Root Cause: Reentrancy in Fuse / Compound Fork Code
• The Fuse pool contract used Compound V2 forked code with a known reentrancy pattern
• The vulnerable function executed external token transfers BEFORE updating the user's account balance
• Attacker:
1. Deposited ETH as collateral
2. Triggered a cross-function reentrancy via the Compound
borrow() callback 3. Re-entered to claim the deposited ETH back without first repaying the borrow
4. Repeated to drain pool reserves
Affected Pools
Rari Fuse pools 8, 18, 27, 127, 144, 146, 156 — multiple isolated pools all sharing the same vulnerable cToken implementation.
Financial Impact
• $80M+ total loss, primarily from FRAX, FEI, USDC, ETH borrowed against Fuse pool collateral
• Fei Protocol DAO ultimately paid users out of treasury
• Tribe DAO voted to wind down Rari Capital and Fei Protocol within months
Response
• Fei team paused all borrowing across affected pools immediately
• Offered $10M bounty to attacker for return of funds
• Attacker funneled funds through Tornado Cash — no return
• PeckShield confirmed the same reentrancy class affected other Compound forks (Hundred Finance, Channels Finance, etc. were later hit by variants)
Significance
• Demonstrated systemic risk of Compound V2 fork implementations
• Hastened wind-down of Tribe DAO/Fei
• Class of attack now well-known: "cross-function reentrancy via callback hooks" (especially ERC-777 tokens)
References