QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$11 000 000 USD
MAY 2021
GLOBAL
RARI CAPITAL
DESCRIPTION OF EVENTS
"Rari Capital is working on building a series of products with the goal of increasing market efficiencies within the crypto-sphere. Our first product is software that can rebalance users holdings across a series of protocols to deliver the highest yield." "Start earning with our yield aggregator product. It's as easy as depositing and watching the number go up."
"On May 8, 2021, Rari Capital, a DeFi project, was the victim of a smart contract hack." "$11 million in Ethereum was stolen from its platform." "This loss equates to 60% of all users’ funds in the Rari Capital Ethereum Pool." "[T]he attack against Rari Capital took advantage of how liquidity shares were calculated by a smart contract within the project." "[T]he hackers were able to extract ETH from Rari by manipulating the code around an affiliated DeFi protocol, Alpha Finance." "Using the ibETH.work function, they inflated the value of ibETH within Rari Capital’s pool by inflating the value of ibETH.totalETH. They then called the withdrawal function of the Rari Capital Ethereum pool, extracting more ETH than they initially deposited due to this inflated value. This allowed them to drain the pool of value contributed by other Rari Capital users."
"Rari claims the code was previously audited by a blockchain security company called Quantstamp, but says "they were not aware" of the exploit." "Unfortunately, the Rari Capital contributors were not aware that `ibETH.totalETH()` could be manipulated for the duration of these external calls from `ibETH.work`, nor were we aware of the flexibility of `ibETH.work` to call any contract." "[T]his incident underscores the importance of double-checking how liquidity share calculations are performed in DeFi protocols. Although the ratio of deposited value to total token supply should be invariant, attackers have demonstrated multiple times that these values can be eliminated." "Rari Capital plans to undergo additional security audits of their contracts. While the contracts were previously audited by Quantstamp, engaging multiple auditors with different perspectives can help with ferreting out these complex vulnerabilities before they can be exploited by an attacker."
"Rari [also] plans to set aside 2 million RGT (the project’s governance token) to compensate the users who lost money in the hack." "All of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room," "To be clear: this is not a company or even the DAO itself making depositors whole — it is the exceptional individuals who have poured their time, talent, and creativity into this protocol and this community, each choosing to put their own financial well-being secondary to our collective mission."
The Rari Capital hack is the latest attack among many increasingly sophisticated attacks occurring in the DeFi space. The platform, as well as Alpha Finance, were both audited smart contracts.
The good news in this case is that the community came together to assist those who were affected by the hack, with developers giving up their own funds that had been allocated to them to affected users.
HOW COULD THIS HAVE BEEN PREVENTED?
Smart contracts are not known for having good judgement when it comes to detecting if a transaction is suspicious or not. That's a skill which human beings have innately.
There are some tasks best left to a human being, and confirming large withdrawals is one of them. For the best results, a multi-signature wallet can be used to ensure each outgoing transactions receives appropriate scrutiny.
Where smart contracts or hot wallets are used, it's best to manage these using capital of the firm, or to have losses insured by a multi-platform crypto-based fund such as we propose in our framework.
Explained: The Rari Capital Hack (May 2021) - Halborn (May 11)
Ethereum DeFi Project Rari Capital Hacked for $11M—But It Plans to Make It Right - Decrypt (May 12)
Rari Ethereum Pool Post Mortem (May 12)
Rari Capital (May 13)
Rari Capital Plans to Refund Stolen $10.6M in Ethereum From Dev Fund - CoinDesk (May 13)
Looking Forward At Rari Capital (May 13)
Rari Capital falls victim to $11 million exploit (May 13)
Rari Capital Launches Robo Yield Farming Tool - DeFi Rate (May 13)
Teens Controlling Multi-Million-Dollar DeFi Protocols Are Not Playing Around - The Defiant - DeFi News (May 23)
Rari Capital to Compensate Users following $10 Million ETH Exploit | Finance Magnates (May 24)
Four Hacks, one week (Jun 19)
SlowMist Hacked - SlowMist Zone (May 18)
Rari Fund Token price today, RFT live marketcap, chart, and info | CoinMarketCap (Jul 24)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
5 8 21 Rari Capital Exploit Timeline Analysis (Aug 11)
@frankresearcher Twitter (Aug 11)
Price Manipulation Attack In Reality Again Raricapital Incident (Aug 11)
Rekt - Rari Capital - REKT (Aug 11)
@dudesahn Twitter (Aug 11)
Why the Attack Was Possible - HackMD (Aug 11)
Address 0xCB36b1ee0Af68Dce5578a487fF2Da81282512233 | Etherscan (Jul 3)
Address 0xcb36b1ee0af68dce5578a487ff2da81282512233 | BscScan (Aug 11)
