Rari Capital Hack Analysis & POC

Abdul Sami J.
May 4, 2022

NEWSLETTER

Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content

    Share:

    Introduction

    Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance that had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.

    Pre-requisite

    1. Rari is a fork of compound finance & compound had a known issue of re-entrancy attack whenever CTokens were borrowed through borrow() function.
    2. This was patched by the Rari team by introducing a pool-wide re-entrancy guard on CTokens. 
    3. There also exists a component called “comptroller” which is responsible for functions such as providing & withdrawing collateral by calling enterMarkets() & exitMarket respectively.
    4. The comptroller contract did not have re-entrancy checks in place. The attacker exploited through the exitMarket() function which makes the deposited asset no longer a collateral meaning it can be withdrawn at any time.

    The Exploit

    The attacker created 2 contracts.

    1. For Exploiting Rari Fuse Pools 
    2. For Receiving Profits after exploits

    There were 7 pools that were affected due to this exploit  (8,18,27,127,144,146,156)

    1. https://etherscan.io/tx/0xa185f63b82cbb199a435399cfd414b89ebab91485d5034cdf8861a5f958259a4
    2. https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6
    3. https://etherscan.io/tx/0x0f75349606610313cb666277eeda612e72be624cae061d017e503056bbf4d8e0
    4. https://etherscan.io/tx/0x0742b138a78ad9bd5d0b55221d514637313bc64c40272ca98c8d0417a519e2e4
    5. https://etherscan.io/tx/0x254735c6c14e4d338b1cc5bca43aab6b0f395ae06085013b1b2527180d270a31
    6. https://etherscan.io/tx/0xab486012f21be741c9e674ffda227e30518e8a1e37a5f1d58d0b0d41f6e76530
    7. https://etherscan.io/tx/0x9e4d4f4ebb45d1e03813d834494045c1b6ea2adbde1b89fbe24349846c223779

    We will be focusing on this specific transaction to understand the hack.

    https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6

    1. Attacker took flashloan of 50,000 WETH & 80,000 WSTETH from Balancer vault
    1. The attacker deposited 80,000 WSTETH collateral into fWSTETH-146 pool.
    2. After depositing, the attacker borrowed 2397 ETH from fWSTETH-146 pool without updating the borrower's record.

    https://etherscan.io/address/0x49da42a1eca4ac6ca0c6943d9e5dc64e4641e0e3#code

    1. The pool triggers the fallback function of the exploiter contract while sending ether to the exploit contract where the attacker makes a re-entrant call to exitMarket() & withdraws his collateral of 80,000 WSTETH.
    1. The attacker receives 2397 ETH for free & transfers it to another contract for later claiming.
    1. The attacker repeats steps 1-4 until all borrowed amount is collected.
    2. The attacker applies the same strategy on 7 different pools & runs away with ~$79M of profit.

    Hack Yourself!

    Here is the Github repo that has POC for the hack.

    More Weblogs

     How Can a VPN Protect You From Spying?

    VPN uses a private network that helps users mask their surfing history on the internet, hackers even advertisers can’t steal the data and use it for their means. 

    Ayesha Yousuf
    September 14, 2022
    Smart Contract Security Audit: An Auditor's Interrogation

    A comprehensive introduction to smart contract security audit and preparation of relevant interview questions.

    Jarir
    September 8, 2022
    GameFi: Future of Gaming or Short-lived Gimmick?

    On the surface, the GameFi industry sounds revolutionary. However, digging a little deeper reveals several questions about its legitimacy. What are the risks associated with its play-to-earn model? Are all games which claim to be a part of GameFi credible? And, at the end of the day, is this a viable direction for gaming, or nothing more than a short-lived gimmick?

    Sarah Imran
    June 23, 2022
    Designed & Developed by: 
    All rights reserved. Copyright 2020-21