Rari Capital Hack Analysis & POC

Table Of Content

Share:

Introduction

Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance that had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.

Pre-requisite

  1. Rari is a fork of compound finance & compound had a known issue of re-entrancy attack whenever CTokens were borrowed through borrow() function.
  2. This was patched by the Rari team by introducing a pool-wide re-entrancy guard on CTokens. 
  3. There also exists a component called “comptroller” which is responsible for functions such as providing & withdrawing collateral by calling enterMarkets() & exitMarket respectively.
  4. The comptroller contract did not have re-entrancy checks in place. The attacker exploited through the exitMarket() function which makes the deposited asset no longer a collateral meaning it can be withdrawn at any time.

The Exploit

The attacker created 2 contracts.

  1. For Exploiting Rari Fuse Pools 
  2. For Receiving Profits after exploits

There were 7 pools that were affected due to this exploit  (8,18,27,127,144,146,156)

  1. https://etherscan.io/tx/0xa185f63b82cbb199a435399cfd414b89ebab91485d5034cdf8861a5f958259a4
  2. https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6
  3. https://etherscan.io/tx/0x0f75349606610313cb666277eeda612e72be624cae061d017e503056bbf4d8e0
  4. https://etherscan.io/tx/0x0742b138a78ad9bd5d0b55221d514637313bc64c40272ca98c8d0417a519e2e4
  5. https://etherscan.io/tx/0x254735c6c14e4d338b1cc5bca43aab6b0f395ae06085013b1b2527180d270a31
  6. https://etherscan.io/tx/0xab486012f21be741c9e674ffda227e30518e8a1e37a5f1d58d0b0d41f6e76530
  7. https://etherscan.io/tx/0x9e4d4f4ebb45d1e03813d834494045c1b6ea2adbde1b89fbe24349846c223779

We will be focusing on this specific transaction to understand the hack.

https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6

  1. Attacker took flashloan of 50,000 WETH & 80,000 WSTETH from Balancer vault
  1. The attacker deposited 80,000 WSTETH collateral into fWSTETH-146 pool.
  2. After depositing, the attacker borrowed 2397 ETH from fWSTETH-146 pool without updating the borrower's record.

https://etherscan.io/address/0x49da42a1eca4ac6ca0c6943d9e5dc64e4641e0e3#code

  1. The pool triggers the fallback function of the exploiter contract while sending ether to the exploit contract where the attacker makes a re-entrant call to exitMarket() & withdraws his collateral of 80,000 WSTETH.
  1. The attacker receives 2397 ETH for free & transfers it to another contract for later claiming.
  1. The attacker repeats steps 1-4 until all borrowed amount is collected.
  2. The attacker applies the same strategy on 7 different pools & runs away with ~$79M of profit.

Hack Yourself!

Here is the Github repo that has POC for the hack.

More Weblogs

Social Engineering: Classification & Prevention

Social Engineering is an art, where an attacker manipulates people to extract confidential information. That information could be used in various ways by criminals. Individuals are targeted to install malicious software that could give cybercriminals access to their operating systems,

Red, Blue & Purple Team: Attacker, Defender & Facilitator

Building an effective & secure platform is critical! In this era of rising technologies, it is becoming more and more complex to manage security. Conducting a red team vs blue team exercise could be an eye-opener for companies who seek optimum level protection against their network and systems.

The Poly Network Hack: Who to Blame?

What was essentially the biggest hack in the history of cryptocurrency became a valuable lesson on the importance of security and just how powerless big organizations can become in the face of powerful hackers. The unusual trajectory of this incident also begs the question of where to place the blame in these kinds of attacks. Read more to find out exactly how the hack took place as we analyze the most pressing questions surrounding this attack.

Stay in Touch

Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    All rights reserved. Copyright 2020-21