Rari Capital

Rari Capital Hack - May 2021 ($10M)

Overview

The exploit drained a total of 2,600 ETH (about $10.6 million at the time) from Rari Capital's Ethereum pool. The attack occurred on May 8, 2021.

The Vulnerability

The attacker exploited Rari Capital's yield-generating integration with Alpha Finance Labs' ibETH token. More specifically, the attacker used the ibETH.work function to inflate the value of ibETH within Rari Capital's pool, then called the withdrawal function of the Rari Capital Ethereum pool, extracting more ETH than they initially deposited.

Technical Details

Rari Capital's Ethereum Pool calculated the value of its ibETH as ibETH.totalETH() / ibETH.totalSupply(), but the team was unaware that the value of ibETH.totalETH() could be manipulated within the ibETH.work function, meaning the value of the ibETH could be artificially inflated. Additionally, users of ibETH.work could call any contract they wanted within that function.

Impact

The total losses amounted to 60% of all the users' funds inside the Ethereum Pool. The Rari governance token fell almost 50% from $17 to $9.07 following the attack.

Remediation

Rari Capital planned to refund the stolen $10.6M in Ethereum from the dev fund.

Sources

• https://www.coindesk.com/markets/2021/05/10/rari-capital-plans-to-refund-stolen-106m-in-ethereum-from-dev-fund

• https://www.halborn.com/blog/post/explained-the-rari-capital-hack-may-2021

• https://slowmist.medium.com/slowmist-an-analysis-of-the-attack-on-rari-31bbca767ec2

• https://dailyhodl.com/2021/05/10/defi-startup-rari-capital-reveals-details-behind-hack-that-cost-10-million-in-losses/

• https://www.coindesk.com/markets/2021/05/08/rari-capital-reports-exploit-in-eth-pool-15m-taken/

• https://cointelegraph.com/news/rari-capital-falls-victim-to-11-million-exploit