Rari Capital Hack Analysis & POC
Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance which had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.
- Rari is a fork of compound finance & compound had a known issue of re-entrancy attack whenever CTokens were borrowed through borrow() function.
- This was patched by the Rari team by introducing a pool-wide re-entrancy guard on CTokens.
- There also exists a component called “comptroller” which is responsible for functions such as providing & withdrawing collateral by calling enterMarkets() & exitMarket respectively.
- The comptroller contract did not have re-entrancy checks in place. The attacker exploited through the exitMarket() function which makes the deposited asset no longer a collateral meaning it can be withdrawn at any time.
The attacker created 2 contracts.
There were 7 pools that were affected due to this exploit (8，18，27，127，144，146，156)
We will be focusing on this specific transaction to understand the hack. https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6
- Attacker took flashloan of 50,000 WETH & 80,000 WSTETH from Balancer vault
2. Attacker deposited 80,000 WSTETH collateral into fWSTETH-146 pool.
3. After depositing, the attacker borrowed 2397 ETH from fWSTETH-146 pool without updating the borrowers record.
4. The pool triggers the fallback function of the exploiter contract while sending ether to the exploit contract where the attacker makes a re-entrant call to exitMarket() & withdraws his collateral of 80,000 WSTETH.
5. The attacker receives 2397 ETH for free & transfers it to another contract for later claiming.
6. The attacker repeats steps 1–4 until all borrowed amount is collected.
7. The attacker applies the same strategy on 7 different pools & runs away with ~$79M of profit.