ADVERTISEMENT

Crypto Hackers Swipe $77 Million in Attack on DeFi Projects

Crypto Hackers Swipe $77 Million in Attack on DeFi Projects

Crypto projects Rari Capital and Fei Protocol said they suffered a $77 million hack on Saturday, five months after their merger.

An unverified Twitter account for Fei Protocol said it was aware of an exploit targeting multiple pools belonging to its merged partner Rari Capital. The tweet was verified by Fei founder Joey Santoro in a post to the decentralized-finance project’s Discord server. 

“We have identified the root cause and paused all borrowing to mitigate further damage,” the tweet said. Fei offered a $10 million bounty to the hacker if they returned the remaining user funds, “no questions asked.” Meanwhile, the hacker has already started moving crypto to Tornado Cash, a service that allows users to mask transactions. About 5,400 Ether tokens have been transferred so far, worth about $15 million based on recent prices, according to Lei Wu, chief technical officer of blockchain security firm BlockSec, and a review of activity on Etherscan.

The exploit is the latest to target a DeFi network, which is designed to allow users to bypass traditional intermediaries to borrow and lend digital assets with the added feature of anonymity. In February, hackers made off with $320 million worth of crypto after an attack on Wormhole, a communication bridge between the Solana blockchain and other DeFi networks.

Fei Protocol is focused on building an algorithmic stablecoin, pegged to the value of the U.S. dollar, that can be more easily used by decentralized autonomous organizations, or DAOs. Rari Capital allows investors to lend, borrow and “farm” high yields via a permissionless interest-rate protocol called Fuse. 

The hacker drained funds from several Fuse pools by exploiting a so-called reentrancy vulnerability, Santoro said in a post on Fei’s Discord, and promised to publish a detailed post-mortem of the attack “after further analysis.” 

A reentrancy attack occurs when a protocol’s smart contract makes a call to an external smart contract, which is responded to by a return call from the external contract that seeks to exploit a vulnerability in the initial call’s code. One of the most well-known instances of this type of attack is the 2016 hack on The DAO, according to analysis by crypto developer Moralis, the fallout from which caused the Ethereum blockchain to split itself in two.

Any remaining unexploited funds on Rari “should be safe” from further attacks, he added, while Fei’s peg should remain stable as it is separate from Rari.  

©2022 Bloomberg L.P.