Rari Capital Hack: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/raricapitalhack.php}} thumb|Rari CapitalThe Rari Capital hack is the latest attack among many increasingly sophisticated attacks occurring in the DeFi space. The platform, as well as Alpha Finance, were both audited smart contracts. The good news in this case is that the community came together to assist those who were affected by the hack, with developers giving up their...") |
(About section moved around while adding new case from Float Protocol.) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}{{Unattributed Sources}} | ||
[[File:Raricapital.jpg|thumb|Rari Capital]]The Rari Capital hack is the latest attack among many increasingly sophisticated attacks occurring in the DeFi space. The platform, as well as Alpha Finance, were both audited smart contracts. | [[File:Raricapital.jpg|thumb|Rari Capital]]The Rari Capital hack is the latest attack among many increasingly sophisticated attacks occurring in the DeFi space. The platform, as well as Alpha Finance, were both audited smart contracts. | ||
| Line 5: | Line 5: | ||
The good news in this case is that the community came together to assist those who were affected by the hack, with developers giving up their own funds that had been allocated to them to affected users. | The good news in this case is that the community came together to assist those who were affected by the hack, with developers giving up their own funds that had been allocated to them to affected users. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="halborn-503" /><ref name="decrypt-504" /><ref name="raricapitalmedium-505" /><ref name="raricapital-506" /><ref name="coindesk-507" /><ref name="raricapitalmedium-508" /><ref name="cointelegraph-509" /><ref name="defirate-510" /><ref name="thedefiant-800" /><ref name="financemagnates-839" /><ref name="adrianhetman-1144" /><ref name="slowmisthacked-678" /><ref name="coinmarketcap-1790" /><ref name="openblocksecgithub-2342" /><ref name="nipunpmedium-2370" /><ref name="frankresearchertwitter-2371" /><ref name="blocksecteammedium-2372" /><ref name="rektnews-2373" /><ref name="dudesahntwitter-2374" /><ref name="hackmd-2375" /><ref name="etherscan-1221" /><ref name="bscscan-2376" /> | ||
== About Rari Capital == | == About Rari Capital == | ||
"Rari Capital is working on building a series of products with the goal of increasing market efficiencies within the crypto-sphere. Our first product is software that can rebalance users holdings across a series of protocols to deliver the highest yield." "Start earning with our yield aggregator product. It's as easy as depositing and watching the number go up." | "Rari Capital is working on building a series of products with the goal of increasing market efficiencies within the crypto-sphere. Our first product is software that can rebalance users holdings across a series of protocols to deliver the highest yield." "Start earning with our yield aggregator product. It's as easy as depositing and watching the number go up." | ||
== The Reality == | |||
"Rari claims the code was previously audited by a blockchain security company called Quantstamp, but says "they were not aware" of the exploit." "Unfortunately, the Rari Capital contributors were not aware that `ibETH.totalETH()` could be manipulated for the duration of these external calls from `ibETH.work`, nor were we aware of the flexibility of `ibETH.work` to call any contract." "[T]his incident underscores the importance of double-checking how liquidity share calculations are performed in DeFi protocols. Although the ratio of deposited value to total token supply should be invariant, attackers have demonstrated multiple times that these values can be eliminated." "Rari Capital plans to undergo additional security audits of their contracts. While the contracts were previously audited by Quantstamp, engaging multiple auditors with different perspectives can help with ferreting out these complex vulnerabilities before they can be exploited by an attacker." | "Rari claims the code was previously audited by a blockchain security company called Quantstamp, but says "they were not aware" of the exploit." "Unfortunately, the Rari Capital contributors were not aware that `ibETH.totalETH()` could be manipulated for the duration of these external calls from `ibETH.work`, nor were we aware of the flexibility of `ibETH.work` to call any contract." "[T]his incident underscores the importance of double-checking how liquidity share calculations are performed in DeFi protocols. Although the ratio of deposited value to total token supply should be invariant, attackers have demonstrated multiple times that these values can be eliminated." "Rari Capital plans to undergo additional security audits of their contracts. While the contracts were previously audited by Quantstamp, engaging multiple auditors with different perspectives can help with ferreting out these complex vulnerabilities before they can be exploited by an attacker." | ||
== What Happened == | == What Happened == | ||
"On May 8, 2021, Rari Capital, a DeFi project, was the victim of a smart contract hack." | |||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - Rari Capital Hack | |+Key Event Timeline - Rari Capital Hack | ||
| Line 52: | Line 21: | ||
!Description | !Description | ||
|- | |- | ||
|May 8th, 2021 | |May 8th, 2021 | ||
| | |Smart Contract Hack | ||
| | |"On May 8, 2021, Rari Capital, a DeFi project, was the victim of a smart contract hack." | ||
|- | |- | ||
| | | | ||
| Line 64: | Line 29: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
"[T]he attack against Rari Capital took advantage of how liquidity shares were calculated by a smart contract within the project." "[T]he hackers were able to extract ETH from Rari by manipulating the code around an affiliated DeFi protocol, Alpha Finance." "Using the ibETH.work function, they inflated the value of ibETH within Rari Capital’s pool by inflating the value of ibETH.totalETH. They then called the withdrawal function of the Rari Capital Ethereum pool, extracting more ETH than they initially deposited due to this inflated value. This allowed them to drain the pool of value contributed by other Rari Capital users." | |||
== Total Amount Lost == | == Total Amount Lost == | ||
The total amount lost | "$11 million in Ethereum was stolen from its platform." "This loss equates to 60% of all users’ funds in the Rari Capital Ethereum Pool." | ||
The total amount lost has been estimated at $11,000,000 USD. | |||
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | ||
| Line 75: | Line 47: | ||
== Ultimate Outcome == | == Ultimate Outcome == | ||
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | ||
"Rari [also] plans to set aside 2 million RGT (the project’s governance token) to compensate the users who lost money in the hack." "All of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room," "To be clear: this is not a company or even the DAO itself making depositors whole — it is the exceptional individuals who have poured their time, talent, and creativity into this protocol and this community, each choosing to put their own financial well-being secondary to our collective mission." | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | |||
"Rari [also] plans to set aside 2 million RGT (the project’s governance token) to compensate the users who lost money in the hack." "All of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room," | |||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
== Prevention Policies == | |||
Smart contracts are not known for having good judgement when it comes to detecting if a transaction is suspicious or not. That's a skill which human beings have innately. | Smart contracts are not known for having good judgement when it comes to detecting if a transaction is suspicious or not. That's a skill which human beings have innately. | ||
| Line 90: | Line 63: | ||
Where smart contracts or hot wallets are used, it's best to manage these using capital of the firm, or to have losses insured by a multi-platform crypto-based fund such as we propose in our framework. | Where smart contracts or hot wallets are used, it's best to manage these using capital of the firm, or to have losses insured by a multi-platform crypto-based fund such as we propose in our framework. | ||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
[https://halborn.com/explained-the-rari-capital-hack-may-2021/ Explained: The Rari Capital Hack (May 2021) - Halborn] (May | <references><ref name="halborn-503">[https://halborn.com/explained-the-rari-capital-hack-may-2021/ Explained: The Rari Capital Hack (May 2021) - Halborn] (May 11, 2021)</ref> | ||
[https://decrypt.co/70441/rari-capital-defi-hack-ethereum Ethereum DeFi Project Rari Capital Hacked for $11M—But It Plans to Make It Right - Decrypt] (May | <ref name="decrypt-504">[https://decrypt.co/70441/rari-capital-defi-hack-ethereum Ethereum DeFi Project Rari Capital Hacked for $11M—But It Plans to Make It Right - Decrypt] (May 12, 2021)</ref> | ||
[https://medium.com/rari-capital/5-8-2021-rari-ethereum-pool-post-mortem-60aab6a6f8f9 Rari Ethereum Pool Post Mortem] (May | <ref name="raricapitalmedium-505">[https://medium.com/rari-capital/5-8-2021-rari-ethereum-pool-post-mortem-60aab6a6f8f9 Rari Ethereum Pool Post Mortem] (May 12, 2021)</ref> | ||
[https://rari.capital/ Rari Capital] (May | <ref name="raricapital-506">[https://rari.capital/ Rari Capital] (May 13, 2021)</ref> | ||
[https://www.coindesk.com/rari-capital-loses-ethereum-to-theft Rari Capital Plans to Refund Stolen $10.6M in Ethereum From Dev Fund - CoinDesk] (May | <ref name="coindesk-507">[https://www.coindesk.com/rari-capital-loses-ethereum-to-theft Rari Capital Plans to Refund Stolen $10.6M in Ethereum From Dev Fund - CoinDesk] (May 13, 2021)</ref> | ||
[https://medium.com/rari-capital/looking-forward-at-rari-capital-a8349225120e Looking Forward At Rari Capital] (May | <ref name="raricapitalmedium-508">[https://medium.com/rari-capital/looking-forward-at-rari-capital-a8349225120e Looking Forward At Rari Capital] (May 13, 2021)</ref> | ||
[https://cointelegraph.com/news/rari-capital-falls-victim-to-11-million-exploit Rari Capital falls victim to $11 million exploit] (May | <ref name="cointelegraph-509">[https://cointelegraph.com/news/rari-capital-falls-victim-to-11-million-exploit Rari Capital falls victim to $11 million exploit] (May 13, 2021)</ref> | ||
[https://defirate.com/rari-capital-yield-farming/ Rari Capital Launches Robo Yield Farming Tool - DeFi Rate] (May | <ref name="defirate-510">[https://defirate.com/rari-capital-yield-farming/ Rari Capital Launches Robo Yield Farming Tool - DeFi Rate] (May 13, 2021)</ref> | ||
[https://thedefiant.io/teens-controlling-multi-million-dollar-defi-protocols-are-not-playing-around/ Teens Controlling Multi-Million-Dollar DeFi Protocols Are Not Playing Around - The Defiant - DeFi News] (May | <ref name="thedefiant-800">[https://thedefiant.io/teens-controlling-multi-million-dollar-defi-protocols-are-not-playing-around/ Teens Controlling Multi-Million-Dollar DeFi Protocols Are Not Playing Around - The Defiant - DeFi News] (May 23, 2021)</ref> | ||
[https://www.financemagnates.com/cryptocurrency/news/rari-capital-to-compensate-users-following-10-million-eth-exploit/ Rari Capital to Compensate Users following $10 Million ETH Exploit | Finance Magnates] (May | <ref name="financemagnates-839">[https://www.financemagnates.com/cryptocurrency/news/rari-capital-to-compensate-users-following-10-million-eth-exploit/ Rari Capital to Compensate Users following $10 Million ETH Exploit | Finance Magnates] (May 24, 2021)</ref> | ||
[https://www.adrianhetman.com/four-hacks-one-week/ Four Hacks, one week] (Jun | <ref name="adrianhetman-1144">[https://www.adrianhetman.com/four-hacks-one-week/ Four Hacks, one week] (Jun 19, 2021)</ref> | ||
[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May | <ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 18, 2021)</ref> | ||
[https://coinmarketcap.com/currencies/rari-fund-token/ Rari Fund Token price today, RFT live marketcap, chart, and info | CoinMarketCap] (Jul | <ref name="coinmarketcap-1790">[https://coinmarketcap.com/currencies/rari-fund-token/ Rari Fund Token price today, RFT live marketcap, chart, and info | CoinMarketCap] (Jul 24, 2021)</ref> | ||
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug | <ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref> | ||
[https://nipunp.medium.com/5-8-21-rari-capital-exploit-timeline-analysis-8beda31cbc1a 5 8 21 Rari Capital Exploit Timeline Analysis] (Aug | <ref name="nipunpmedium-2370">[https://nipunp.medium.com/5-8-21-rari-capital-exploit-timeline-analysis-8beda31cbc1a 5 8 21 Rari Capital Exploit Timeline Analysis] (Aug 11, 2021)</ref> | ||
[https://twitter.com/frankresearcher/status/1391087260125188099 @frankresearcher Twitter] (Aug | <ref name="frankresearchertwitter-2371">[https://twitter.com/frankresearcher/status/1391087260125188099 @frankresearcher Twitter] (Aug 11, 2021)</ref> | ||
[https://blocksecteam.medium.com/price-manipulation-attack-in-reality-again-raricapital-incident-8f2047bc3575 Price Manipulation Attack In Reality Again Raricapital Incident] (Aug | <ref name="blocksecteammedium-2372">[https://blocksecteam.medium.com/price-manipulation-attack-in-reality-again-raricapital-incident-8f2047bc3575 Price Manipulation Attack In Reality Again Raricapital Incident] (Aug 11, 2021)</ref> | ||
[https://www.rekt.news/rari-capital-rekt/ Rekt - Rari Capital - REKT] (Aug | <ref name="rektnews-2373">[https://www.rekt.news/rari-capital-rekt/ Rekt - Rari Capital - REKT] (Aug 11, 2021)</ref> | ||
[https://twitter.com/dudesahn/status/1391056013416140803 @dudesahn Twitter] (Aug | <ref name="dudesahntwitter-2374">[https://twitter.com/dudesahn/status/1391056013416140803 @dudesahn Twitter] (Aug 11, 2021)</ref> | ||
[https://hackmd.io/AxM6EeBOS928w28b_kUSfg Why the Attack Was Possible - HackMD] (Aug | <ref name="hackmd-2375">[https://hackmd.io/AxM6EeBOS928w28b_kUSfg Why the Attack Was Possible - HackMD] (Aug 11, 2021)</ref> | ||
[https://etherscan.io/address/0xCB36b1ee0Af68Dce5578a487fF2Da81282512233 Address 0xCB36b1ee0Af68Dce5578a487fF2Da81282512233 | Etherscan] (Jul | <ref name="etherscan-1221">[https://etherscan.io/address/0xCB36b1ee0Af68Dce5578a487fF2Da81282512233 Address 0xCB36b1ee0Af68Dce5578a487fF2Da81282512233 | Etherscan] (Jul 3, 2021)</ref> | ||
[https://bscscan.com/address/0xcb36b1ee0af68dce5578a487ff2da81282512233 Address 0xcb36b1ee0af68dce5578a487ff2da81282512233 | BscScan] (Aug | <ref name="bscscan-2376">[https://bscscan.com/address/0xcb36b1ee0af68dce5578a487ff2da81282512233 Address 0xcb36b1ee0af68dce5578a487ff2da81282512233 | BscScan] (Aug 11, 2021)</ref></references> | ||
Latest revision as of 17:27, 30 January 2024
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The Rari Capital hack is the latest attack among many increasingly sophisticated attacks occurring in the DeFi space. The platform, as well as Alpha Finance, were both audited smart contracts.
The good news in this case is that the community came together to assist those who were affected by the hack, with developers giving up their own funds that had been allocated to them to affected users.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]
About Rari Capital
"Rari Capital is working on building a series of products with the goal of increasing market efficiencies within the crypto-sphere. Our first product is software that can rebalance users holdings across a series of protocols to deliver the highest yield." "Start earning with our yield aggregator product. It's as easy as depositing and watching the number go up."
The Reality
"Rari claims the code was previously audited by a blockchain security company called Quantstamp, but says "they were not aware" of the exploit." "Unfortunately, the Rari Capital contributors were not aware that `ibETH.totalETH()` could be manipulated for the duration of these external calls from `ibETH.work`, nor were we aware of the flexibility of `ibETH.work` to call any contract." "[T]his incident underscores the importance of double-checking how liquidity share calculations are performed in DeFi protocols. Although the ratio of deposited value to total token supply should be invariant, attackers have demonstrated multiple times that these values can be eliminated." "Rari Capital plans to undergo additional security audits of their contracts. While the contracts were previously audited by Quantstamp, engaging multiple auditors with different perspectives can help with ferreting out these complex vulnerabilities before they can be exploited by an attacker."
What Happened
"On May 8, 2021, Rari Capital, a DeFi project, was the victim of a smart contract hack."
| Date | Event | Description |
|---|---|---|
| May 8th, 2021 | Smart Contract Hack | "On May 8, 2021, Rari Capital, a DeFi project, was the victim of a smart contract hack." |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
"[T]he attack against Rari Capital took advantage of how liquidity shares were calculated by a smart contract within the project." "[T]he hackers were able to extract ETH from Rari by manipulating the code around an affiliated DeFi protocol, Alpha Finance." "Using the ibETH.work function, they inflated the value of ibETH within Rari Capital’s pool by inflating the value of ibETH.totalETH. They then called the withdrawal function of the Rari Capital Ethereum pool, extracting more ETH than they initially deposited due to this inflated value. This allowed them to drain the pool of value contributed by other Rari Capital users."
Total Amount Lost
"$11 million in Ethereum was stolen from its platform." "This loss equates to 60% of all users’ funds in the Rari Capital Ethereum Pool."
The total amount lost has been estimated at $11,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
"Rari [also] plans to set aside 2 million RGT (the project’s governance token) to compensate the users who lost money in the hack." "All of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room," "To be clear: this is not a company or even the DAO itself making depositors whole — it is the exceptional individuals who have poured their time, talent, and creativity into this protocol and this community, each choosing to put their own financial well-being secondary to our collective mission."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
"Rari [also] plans to set aside 2 million RGT (the project’s governance token) to compensate the users who lost money in the hack." "All of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room,"
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Smart contracts are not known for having good judgement when it comes to detecting if a transaction is suspicious or not. That's a skill which human beings have innately.
There are some tasks best left to a human being, and confirming large withdrawals is one of them. For the best results, a multi-signature wallet can be used to ensure each outgoing transactions receives appropriate scrutiny.
Where smart contracts or hot wallets are used, it's best to manage these using capital of the firm, or to have losses insured by a multi-platform crypto-based fund such as we propose in our framework.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Explained: The Rari Capital Hack (May 2021) - Halborn (May 11, 2021)
- ↑ Ethereum DeFi Project Rari Capital Hacked for $11M—But It Plans to Make It Right - Decrypt (May 12, 2021)
- ↑ Rari Ethereum Pool Post Mortem (May 12, 2021)
- ↑ Rari Capital (May 13, 2021)
- ↑ Rari Capital Plans to Refund Stolen $10.6M in Ethereum From Dev Fund - CoinDesk (May 13, 2021)
- ↑ Looking Forward At Rari Capital (May 13, 2021)
- ↑ Rari Capital falls victim to $11 million exploit (May 13, 2021)
- ↑ Rari Capital Launches Robo Yield Farming Tool - DeFi Rate (May 13, 2021)
- ↑ Teens Controlling Multi-Million-Dollar DeFi Protocols Are Not Playing Around - The Defiant - DeFi News (May 23, 2021)
- ↑ Rari Capital to Compensate Users following $10 Million ETH Exploit | Finance Magnates (May 24, 2021)
- ↑ Four Hacks, one week (Jun 19, 2021)
- ↑ SlowMist Hacked - SlowMist Zone (May 18, 2021)
- ↑ Rari Fund Token price today, RFT live marketcap, chart, and info | CoinMarketCap (Jul 24, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ 5 8 21 Rari Capital Exploit Timeline Analysis (Aug 11, 2021)
- ↑ @frankresearcher Twitter (Aug 11, 2021)
- ↑ Price Manipulation Attack In Reality Again Raricapital Incident (Aug 11, 2021)
- ↑ Rekt - Rari Capital - REKT (Aug 11, 2021)
- ↑ @dudesahn Twitter (Aug 11, 2021)
- ↑ Why the Attack Was Possible - HackMD (Aug 11, 2021)
- ↑ Address 0xCB36b1ee0Af68Dce5578a487fF2Da81282512233 | Etherscan (Jul 3, 2021)
- ↑ Address 0xcb36b1ee0af68dce5578a487ff2da81282512233 | BscScan (Aug 11, 2021)