Rari Capital Hack Analysis & POC

NEWSLETTER

Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content

    Share:

    Introduction

    Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance that had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.

    Pre-requisite

    1. Rari is a fork of compound finance & compound had a known issue of re-entrancy attack whenever CTokens were borrowed through borrow() function.
    2. This was patched by the Rari team by introducing a pool-wide re-entrancy guard on CTokens. 
    3. There also exists a component called “comptroller” which is responsible for functions such as providing & withdrawing collateral by calling enterMarkets() & exitMarket respectively.
    4. The comptroller contract did not have re-entrancy checks in place. The attacker exploited through the exitMarket() function which makes the deposited asset no longer a collateral meaning it can be withdrawn at any time.

    The Exploit

    The attacker created 2 contracts.

    1. For Exploiting Rari Fuse Pools 
    2. For Receiving Profits after exploits

    There were 7 pools that were affected due to this exploit  (8,18,27,127,144,146,156)

    1. https://etherscan.io/tx/0xa185f63b82cbb199a435399cfd414b89ebab91485d5034cdf8861a5f958259a4
    2. https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6
    3. https://etherscan.io/tx/0x0f75349606610313cb666277eeda612e72be624cae061d017e503056bbf4d8e0
    4. https://etherscan.io/tx/0x0742b138a78ad9bd5d0b55221d514637313bc64c40272ca98c8d0417a519e2e4
    5. https://etherscan.io/tx/0x254735c6c14e4d338b1cc5bca43aab6b0f395ae06085013b1b2527180d270a31
    6. https://etherscan.io/tx/0xab486012f21be741c9e674ffda227e30518e8a1e37a5f1d58d0b0d41f6e76530
    7. https://etherscan.io/tx/0x9e4d4f4ebb45d1e03813d834494045c1b6ea2adbde1b89fbe24349846c223779

    We will be focusing on this specific transaction to understand the hack.

    https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6

    1. Attacker took flashloan of 50,000 WETH & 80,000 WSTETH from Balancer vault
    1. The attacker deposited 80,000 WSTETH collateral into fWSTETH-146 pool.
    2. After depositing, the attacker borrowed 2397 ETH from fWSTETH-146 pool without updating the borrower's record.

    https://etherscan.io/address/0x49da42a1eca4ac6ca0c6943d9e5dc64e4641e0e3#code

    1. The pool triggers the fallback function of the exploiter contract while sending ether to the exploit contract where the attacker makes a re-entrant call to exitMarket() & withdraws his collateral of 80,000 WSTETH.
    1. The attacker receives 2397 ETH for free & transfers it to another contract for later claiming.
    1. The attacker repeats steps 1-4 until all borrowed amount is collected.
    2. The attacker applies the same strategy on 7 different pools & runs away with ~$79M of profit.

    Hack Yourself!

    Here is the Github repo that has POC for the hack.

    More Weblogs

    Flashbots & MEVs: A Beginner’s Guide

    The unfavourable effect brought by MEVs continues to gain recognition globally, with many believing MEVs capable of providing serious risk to Ethereum’s future. Amidst this crisis, research organization Flashbots has emerged with a solution.

    Zero-Knowledge Proofs: A Security Perspective

    In a world where personal data has become more or less a commodity, the potential advantages provided by zero-knowledge proofs are monumental. By combining them with blockchain technology, a powerful mix of immutability and security can be achieved.

    Remote Work & Cybersecurity Risks 

    It is crucial to come up with innovative solutions against cyberattacks, especially when your workforce is remotely working. Since we know that remote work comes with a bunch of security risks, it is essential to cater to them.

    Designed & Developed by: 
    All rights reserved. Copyright 2023