On Saturday April 30 at around 2:20 AM PT seven Fuse pools (8, 18, 27, 127, 144, 146, and 156) were exploited in quick succession. When alerted, the Rari Capital team executed its emergency response plan and paused borrowing globally. This prevented the exploit from being executed on other pools saving tens of millions of dollars. A total of approximately $80 million was stolen from these seven Fuse pools. Here is a more detailed report of how much was lost in each pool, each market, and by each major stakeholder.
The analysis below addresses the nature of the vulnerability, the additional steps taken by the team, the available options to get these seven Fuse pool functional again, and additional security measures the team is taking.
Analysis of the Vulnerability and Attack
The attack relied on borrowing ETH which used .call.value()(), allowing for arbitrary code execution and unlimited gas spend in a fallback function. The attacker was able to call exitMarket() on the comptroller in the reentrancy which was a function not protected by the local/global reentrancy lock on most of the Fuse codebase. Thus the attacker was capable of executing an ETH borrow and releasing their collateral before the borrow state of the account was updated. As ETH was not borrowable in this pool, the exploited pool on Arbitrum relied on reentrancy on ETH redemption.
In order to steal as much of the available liquidity as possible the attacker executed the following across all 7 pools. Using 3 accounts per pool, the attacker first flashloaned ETH as supply on account 1 and flashloaned stablecoins as supply on accounts 2 and 3. Then, the attacker was able to use accounts 2 and 3 to borrow all of the pre-attack ETH liquidity plus the flashloaned ETH amount via the described reentrancy exploit. They received back both their borrow amounts and collateral and thus were able to repay the ETH and stablecoin flashloans on all accounts. Finally, the attacker was able to borrow most of the remaining available stablecoin liquidity in each pool by leveraging the non-existent, but accounted ETH supply balance on account 1.
The attacker’s 3 accounts were then left in the following states: Account 1 had a supply balance of ETH and various stablecoin borrows which represent most of the bad debt in the pool. Accounts 2 and 3 had a combined ETH borrow balance equal to the amount of the ETH flashloan plus the pre-attack ETH liquidity in the pool.
Mitigation Steps
After immediately pausing borrowing the team executed additional mitigation steps. Given the final state of the 7 pools following the exploit, the utilization for ETH and stables was extremely high and thus interest rates were as well. To combat this, interest rates on Tribe DAO managed Fuse pools were set to a flat 3% rate. Other pool operators affected by the exploit were encouraged to do the same and all have done so. These rates will remain while the affected pools have bad debt and remain paused.
Subsequent steps were more complicated and required altering the internal accounting of the affected pools. In order to return the affected pools to a healthy state, the attacker’s ETH supply and borrow balances for accounts 1, 2, and 3 were merged into account 1 so that all of the attacker’s bad debt will exist on a single account. This removed the flashloaned ETH collateral and subsequent borrow leaving only one account left with solely the bad debt. The graphic below shows the previous state of the hackers accounts and the current state following this adjustment. The next step is to remove this bad debt from the attacker’s account.
Immediate and Future Security Measures
A fix to the reentrancy vulnerability has been deployed. In the CEther contract, .call.value()() which has no gas limit has been replaced with .transfer() which has a hard 2300 gas limit. This prevents any potential for reentrancy logic to be executed. Additionally, the checks-effects-interactions pattern has been corrected so that the borrow state of the account is updated prior to the transfer logic. This fix will remove the possibility of this exploit or any reentrancy exploit in the future.
The next step to rebuilding trust between the Fuse protocol and its users is for Fuse to undergo additional security measures. Any differences from the Compound codebase will be heavily reviewed and scrutinized internally over the next few weeks. Fuse E2E and integration testing will also be migrated to a modern Foundry environment.
The team is also building additional security tooling. This entails a new alert system which will send an alert upon certain triggers. Such triggers could include vast price swings in an oracle or vast amounts of liquidity being moved in or out of a Fuse pool. This will enable quicker response time in the case of any future attack. The team is also building additional infrastructure which will enable borrowing to be paused globally or on any one pool with ease.
It will be up to the community to discuss any additional security measures they would like to see either prior to or after reenabling borrowing. This may include one or multiple external security audits. These audits could be on the entire Fuse codebase or have a more narrow focus on the differences between the Compound codebase and their implications.
In the future, Fuse activity and growth will transition to Fuse v2. Fuse v2 will move away from the Compound codebase and be a new money market unlike any that exist today. It will be a far simpler and smaller codebase designed specifically for permissionless markets. Fuse v2 will use a module architecture giving pool creators even more flexibility and customizability. Modules will enable pool operators to swap in custom security parameters which could disable flashloans, limit the amount that can be borrowed in a given period of time, and more.
Next Steps for the community
The community has a number of critical decisions to make in order to move forward from the exploit. The first decision is to decide upon issuing a reimbursement for Fuse users affected by the exploit. Discussions on this are currently being held in the Tribe forums and the proposal recently went to Snapshot.
Second, the community must decide how to resume Fuse activity in the exploited pools. If a vote to reimburse is passed, the DAO can pay back debt on behalf of the hacker. This would restore pools to a healthy state. If the DAO votes for another option that doesn’t reset the bad debt, there are significant technical challenges associated with reactivating these pools.
Next, there will be a discussion on additional Fuse security measures and the ramifications of waiting for an external audit to reenable borrowing. The Tribe community, Fuse users, current pool creators, and parties intending to create pools should all be involved in this discussion.
Finally, there will be a discussion on the future of the Tribe DAO insuring Fuse pools. Following the vote to reimburse the recent exploit there will be no insurance on Fuse. Any future insurance will be an explicit policy from the DAO. This may entail select pools being insured or none being insured. This decision will be up to the community to discuss, identify, and vote on.
To the Community and Security Researchers
This pull request encompassing the changes discussed in this article is in scope for the Tribe DAO bug bounty as a major change to the Fuse codebase. There is a $2.2m payout for critical vulnerabilities which applies to this change and anything else in the scope of the bounty, see the official ImmuneFi report for scope and additional terms
The Rari Capital roadmap is evolving quickly. The success of permissionless money markets mandates significant changes to the status quo. To build trust with a subset of Fuse pools and more accurately reflect the permissionless nature of the protocol, the branding of an isolated lending market will grow to become more closely tied to its operator. This separation mandates significant changes to the Rari Capital dApp and branding of the Fuse protocol. There will be an isolated and comprehensive post to discuss these changes at length in the near future.
Thank you to the Tribe community, Fuse users, and victims of the exploit for your continued patience and support as we work through these challenges together. There are many good paths forward from here that can lead us to a brighter future for the Tribe.
