Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.
Table Of Content
Share:
Introduction
Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance that had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.
Pre-requisite
Rari is a fork of compound finance & compound had a known issue of re-entrancy attack whenever CTokens were borrowed through borrow() function.
This was patched by the Rari team by introducing a pool-wide re-entrancy guard on CTokens.
There also exists a component called “comptroller” which is responsible for functions such as providing & withdrawing collateral by calling enterMarkets() & exitMarket respectively.
The comptroller contract did not have re-entrancy checks in place. The attacker exploited through the exitMarket() function which makes the deposited asset no longer a collateral meaning it can be withdrawn at any time.
The pool triggers the fallback function of the exploiter contract while sending ether to the exploit contract where the attacker makes a re-entrant call to exitMarket() & withdraws his collateral of 80,000 WSTETH.
The attacker receives 2397ETH for free & transfers it to another contract for later claiming.
The attacker repeats steps 1-4 until all borrowed amount is collected.
The attacker applies the same strategy on 7 different pools & runs away with ~$79M of profit.
Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack.
In April 2023, Merlin DEX,a decentralized exchange (DEX) built on ZkSync, suffered a hack during a Liquidity Generation Event for its MAGE token, resulting in an estimated loss of $1.8 million from the protocol.
Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool.
Safemoon suffered an attack in which the SFM/BNB pool was drained, resulting in a loss of $8.9M worth of ‘locked LP’. The attack was carried out by exploiting a vulnerability in the new Safemoon contract that allowed anyone to burn SFM tokens from any address, thus inflating the price of SFM tokens in the pool.
On 21sth November 2021, Pickle finance was hacked, where an attacker was able to drain $19M DAI from the pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar contract.
Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.
The BonqDAO security breach that occurred on February 2, 2023, had far-reaching consequences for the platform, its users, and the wider DeFi ecosystem. The attack exploited a vulnerability in the integration of the Tellor Oracle system, which BonqDAO relied on for obtaining token price information.
On Apr 17, 2023. The DeFiGeek Community fell victim to a security breach in which an attacker exploited a flash loan vulnerability, causing the loss of 10 ETH (valued at over $20,000) from their DeFiGeek Community Pool Dai (fDAI-102
The Level Finance hack significantly affected the platform and its users, as the attacker managed to steal $1.1 million in referral rewards. This breach undermined trust in Level Finance and raised concerns about the security of similar DeFi platforms.