After $11M Hack, Rari Capital Team to Reimburse Lost Funds

Key Takeaways

  • The hack used a price manipulation attack to trick Rari Capital’s smart contract into misjudging the price of Alpha’s ibETH token.
  • The team has been working with other Ethereum developers to fix the vulnerabilities and has been actively answering community questions.
  • During a community call, Rari’s team announced they were foregoing their token allocation to reimburse users who lost funds in this attack.

Share this article

Following the $11 million hack over the weekend, Rari’s native token crashed from $18 to $10. The team behind the protocol has, however, moved quickly to make victims whole. 

Rari Suffers Weekend Hack, Drops $11M

Rari Capital is a DeFi protocol building optimized yield vaults and offering lending and borrowing on niche tokens. Recently, the team integrated Alpha Finance’s ibETH token, which is an interest-bearing Ethereum token. On May 8, the smart contract in charge of depositing ETH in Alpha Finance’s ibETH pool was hacked.

While the exploit threatened no Alpha funds, liquidity providers (LPs) from the Rari ETH pool lost a combined 2,600 ETH, totaling over $10 million. The hackers artificially inflated the value of the ETH pool on Rari by using a flash loan from dYdX. They then withdrew ETH from the pool using a function that the hackers should not have had access to.

This technique is called an indirect price manipulation attack. It relies on the attacker manipulating the token price using a flash loan to inflate its price during a few brief moments artificially. As the price of the token on the Rari ETH pool is linked to the value of the ibETH held by the protocol, manipulating the price of ibETH influences Rari’s ETH pool token as well.

Mapping of the Rari Capital exploit of May 8. Source: BlockSecTeam.
Mapping of the Rari Capital exploit of May 8. Source: BlockSecTeam.

The attack relied on the “work” function of the ibETH contract being activated by the attackers, something the Rari team didn’t know to be possible. Quantstamp, who audited the contracts, didn’t notice…

Read More