Rari Capital Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:51, 18 February 2023 by Azoundria (talk | contribs)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Rari Capital

The Rari Capital hack is the latest attack among many increasingly sophisticated attacks occurring in the DeFi space. The platform, as well as Alpha Finance, were both audited smart contracts.

The good news in this case is that the community came together to assist those who were affected by the hack, with developers giving up their own funds that had been allocated to them to affected users.

This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]

About Rari Capital

"Rari Capital is working on building a series of products with the goal of increasing market efficiencies within the crypto-sphere. Our first product is software that can rebalance users holdings across a series of protocols to deliver the highest yield." "Start earning with our yield aggregator product. It's as easy as depositing and watching the number go up."

"On May 8, 2021, Rari Capital, a DeFi project, was the victim of a smart contract hack." "$11 million in Ethereum was stolen from its platform." "This loss equates to 60% of all users’ funds in the Rari Capital Ethereum Pool." "[T]he attack against Rari Capital took advantage of how liquidity shares were calculated by a smart contract within the project." "[T]he hackers were able to extract ETH from Rari by manipulating the code around an affiliated DeFi protocol, Alpha Finance." "Using the ibETH.work function, they inflated the value of ibETH within Rari Capital’s pool by inflating the value of ibETH.totalETH. They then called the withdrawal function of the Rari Capital Ethereum pool, extracting more ETH than they initially deposited due to this inflated value. This allowed them to drain the pool of value contributed by other Rari Capital users."

"Rari claims the code was previously audited by a blockchain security company called Quantstamp, but says "they were not aware" of the exploit." "Unfortunately, the Rari Capital contributors were not aware that `ibETH.totalETH()` could be manipulated for the duration of these external calls from `ibETH.work`, nor were we aware of the flexibility of `ibETH.work` to call any contract." "[T]his incident underscores the importance of double-checking how liquidity share calculations are performed in DeFi protocols. Although the ratio of deposited value to total token supply should be invariant, attackers have demonstrated multiple times that these values can be eliminated." "Rari Capital plans to undergo additional security audits of their contracts. While the contracts were previously audited by Quantstamp, engaging multiple auditors with different perspectives can help with ferreting out these complex vulnerabilities before they can be exploited by an attacker."

"Rari [also] plans to set aside 2 million RGT (the project’s governance token) to compensate the users who lost money in the hack." "All of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room," "To be clear: this is not a company or even the DAO itself making depositors whole — it is the exceptional individuals who have poured their time, talent, and creativity into this protocol and this community, each choosing to put their own financial well-being secondary to our collective mission."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Rari Capital Hack
Date Event Description
May 8th, 2021 12:00:00 AM Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $11,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

Smart contracts are not known for having good judgement when it comes to detecting if a transaction is suspicious or not. That's a skill which human beings have innately.

There are some tasks best left to a human being, and confirming large withdrawals is one of them. For the best results, a multi-signature wallet can be used to ensure each outgoing transactions receives appropriate scrutiny.

Where smart contracts or hot wallets are used, it's best to manage these using capital of the firm, or to have losses insured by a multi-platform crypto-based fund such as we propose in our framework.

References

  1. Explained: The Rari Capital Hack (May 2021) - Halborn (May 10, 2021)
  2. Ethereum DeFi Project Rari Capital Hacked for $11M—But It Plans to Make It Right - Decrypt (May 11, 2021)
  3. Rari Ethereum Pool Post Mortem (May 11, 2021)
  4. Rari Capital (May 12, 2021)
  5. Rari Capital Plans to Refund Stolen $10.6M in Ethereum From Dev Fund - CoinDesk (May 12, 2021)
  6. Looking Forward At Rari Capital (May 12, 2021)
  7. Rari Capital falls victim to $11 million exploit (May 12, 2021)
  8. Rari Capital Launches Robo Yield Farming Tool - DeFi Rate (May 12, 2021)
  9. Teens Controlling Multi-Million-Dollar DeFi Protocols Are Not Playing Around - The Defiant - DeFi News (May 22, 2021)
  10. Rari Capital to Compensate Users following $10 Million ETH Exploit | Finance Magnates (May 23, 2021)
  11. Four Hacks, one week (Jun 18, 2021)
  12. SlowMist Hacked - SlowMist Zone (May 17, 2021)
  13. Rari Fund Token price today, RFT live marketcap, chart, and info | CoinMarketCap (Jul 23, 2021)
  14. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10, 2021)
  15. 5 8 21 Rari Capital Exploit Timeline Analysis (Aug 10, 2021)
  16. @frankresearcher Twitter (Aug 10, 2021)
  17. Price Manipulation Attack In Reality Again Raricapital Incident (Aug 10, 2021)
  18. Rekt - Rari Capital - REKT (Aug 10, 2021)
  19. @dudesahn Twitter (Aug 10, 2021)
  20. Why the Attack Was Possible - HackMD (Aug 10, 2021)
  21. Address 0xCB36b1ee0Af68Dce5578a487fF2Da81282512233 | Etherscan (Jul 2, 2021)
  22. Address 0xcb36b1ee0af68dce5578a487ff2da81282512233 | BscScan (Aug 10, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Rari_Capital_Hack&oldid=2343"