$11 000 000 USD

MAY 2021

GLOBAL

RARI CAPITAL

DESCRIPTION OF EVENTS

"Rari Capital is working on building a series of products with the goal of increasing market efficiencies within the crypto-sphere. Our first product is software that can rebalance users holdings across a series of protocols to deliver the highest yield." "Start earning with our yield aggregator product. It's as easy as depositing and watching the number go up."

 

"On May 8, 2021, Rari Capital, a DeFi project, was the victim of a smart contract hack." "$11 million in Ethereum was stolen from its platform." "This loss equates to 60% of all users’ funds in the Rari Capital Ethereum Pool." "[T]he attack against Rari Capital took advantage of how liquidity shares were calculated by a smart contract within the project." "[T]he hackers were able to extract ETH from Rari by manipulating the code around an affiliated DeFi protocol, Alpha Finance." "Using the ibETH.work function, they inflated the value of ibETH within Rari Capital’s pool by inflating the value of ibETH.totalETH. They then called the withdrawal function of the Rari Capital Ethereum pool, extracting more ETH than they initially deposited due to this inflated value. This allowed them to drain the pool of value contributed by other Rari Capital users."

 

"Rari claims the code was previously audited by a blockchain security company called Quantstamp, but says "they were not aware" of the exploit." "Unfortunately, the Rari Capital contributors were not aware that `ibETH.totalETH()` could be manipulated for the duration of these external calls from `ibETH.work`, nor were we aware of the flexibility of `ibETH.work` to call any contract." "[T]his incident underscores the importance of double-checking how liquidity share calculations are performed in DeFi protocols. Although the ratio of deposited value to total token supply should be invariant, attackers have demonstrated multiple times that these values can be eliminated." "Rari Capital plans to undergo additional security audits of their contracts. While the contracts were previously audited by Quantstamp, engaging multiple auditors with different perspectives can help with ferreting out these complex vulnerabilities before they can be exploited by an attacker."

 

"Rari [also] plans to set aside 2 million RGT (the project’s governance token) to compensate the users who lost money in the hack." "All of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room," "To be clear: this is not a company or even the DAO itself making depositors whole — it is the exceptional individuals who have poured their time, talent, and creativity into this protocol and this community, each choosing to put their own financial well-being secondary to our collective mission."

The Rari Capital hack is the latest attack among many increasingly sophisticated attacks occurring in the DeFi space. The platform, as well as Alpha Finance, were both audited smart contracts.

 

The good news in this case is that the community came together to assist those who were affected by the hack, with developers giving up their own funds that had been allocated to them to affected users.

HOW COULD THIS HAVE BEEN PREVENTED?

Smart contracts are not known for having good judgement when it comes to detecting if a transaction is suspicious or not. That's a skill which human beings have innately.

 

There are some tasks best left to a human being, and confirming large withdrawals is one of them. For the best results, a multi-signature wallet can be used to ensure each outgoing transactions receives appropriate scrutiny.

 

Where smart contracts or hot wallets are used, it's best to manage these using capital of the firm, or to have losses insured by a multi-platform crypto-based fund such as we propose in our framework.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.