Open in app

Sign in

Write

Sign in

🚒 Containing the Fuse Exploit

Ramon Recuero
Babylon.finance
Published in
5 min readMay 3, 2022

Babylon is a community-led asset management protocol that enables users to create investment clubs (we call them gardens) and invest in DeFi together. It’s built on the Ethereum network and it’s non-custodial, transparent, permission-less, and governed by the community. BABL is the governance token behind it.

TLDR: Babylon was not hacked. Strategies that deposited into the fuse pool will be backstopped. There is going to be an on-chain proposal in FEI/Rari to refund the loss. If it doesn’t go through, Babylon will cover it (up to its means). The goal is that no user funds will be affected.

On February 10th, we released the Babylon Lending & Borrowing markets. The Babylon Gold lender pool on Rari allows Babylonians and garden strategies to deposit $BABL as collateral and borrow assets from it.

Since its inception, the activity has been increasing until reaching more than $8M in collateral and $2M in borrowings.

On April 20th, Rari Fuse pools were hacked and more than $70M was extracted.

In this post, we are going to explain the attack, its immediate impact on Babylon, our response to the event, and the timeline for the resolution.

🔥 Following the smoke

Around 4 am PST on April 30th, our team became aware of the issue and immediately saw the following in our fuse pool.

The TVL in our Fuse Pool jumped from 8.7M to 46.8M and the borrowings increased from $2.1M to $43.7M 😱

WTH happened? Shortly afterward we start looking at the transactions of our Comptroller markets on Etherscan and here there was:

https://etherscan.io/tx/0x254735c6c14e4d338b1cc5bca43aab6b0f395ae06085013b1b2527180d270a31

The following account 0x6162759edad730152f0df8115c698a42e666157f managed to extract $3.41M of collateral from our Fuse Pool between ETH, DAI, FRAX and FEI.

Three Babylon gardens had strategies active on the Fuse Pool: ⛲️ The Fountain of ETH, 💲The Stable Garden, and Stable Pebble. Immediately, we took the following measures:

  • We paused BABL rewards on the Fuse pool until normal operation is resolved.
  • Changed the interest rate model to a flat 3% to ensure people don’t get liquidated in this situation.
  • Paused borrowing.

🔎 Investigating the attack

How is this attack possible? Isn’t the Fuse Pool a fork of the battle-tested Compound protocol? As usual, the answer is it’s complicated.

The following 🧵 on Twitter does a great job at explaining the technical details

Basically, the hacker was able to exploit several Fuse pools and obtain more than $70M in digital assets due to these two factors:

  • Compound is subject to a reentrancy attack. However, compound is safe because before adding a token they check if the token has a reentrancy hook.
  • Ether on the Fuse Pool has the reentrancy hook due to .call instead of transfer.

The attacker was basically able to call borrow on a loop, spiking up the position until he could withdraw all the collateral. That’s why all the fuse pools affected have enormous fake TVL in the Fuse UI.

🔎 Moving Forward

Rari & FEI announced on a Twitter space that there is going to be a governance proposal to backstop the attack and refund the fuse pools affected.

This would ensure thatall user funds and Babylon as a whole is not affected by the event.

In order to ensure a smooth restart of the fuse pool, we are going to take the following measures:

  • Assess each new market we add to our fuse pool. Do not add any token that has reentrancy hooks vulnerable to reentrancy attacks.
  • Once the refund is completed, we will resume BABL rewards and issue an extra reward to the strategies affected to compensate.

To reiterate this point, Babylon has not been hacked and its smart contracts are safe. We have completed 8 security audits to date and have a 💰 $100k security bug bounty on Immunefi.

🌴 Babylon must go on

In the middle of this 🐻 market, where most protocols have decreased TVL. Babylon has been growing thanks to all your support 🙏.

We have grown from $16M to $23M in just two weeks.

In order to show our confidence in the protocol, the team is going to deploy funds to the following gardens:

  • 50k to 💲 The Stable Garden
  • 34 ETH to ⛲ The Fountain of ETH
  • 50k to 🥒 The Pickle Field (coming this week).

If you haven’t yet, please visit Babylon by clicking this link👇

https://babylon.finance/explore

We are building Babylon to help people access the best opportunities in crypto through native DeFi investment clubs or gardens. You can now invest along with others, save on gas, speed up your learning and minimize your transactions all at once.

Here are some of the top-performing gardens in Babylon:

⛲️ The Fountain of ETH: .Deposit ETH and grow it using staking and lending strategies.

💲The Stable Garden . Deposit and grow your DAI with yield farming strategies.

🫀The Heart of Babylon. Stake your BABL, reinvest protocol fees and vote on governance for free.

Join our Discord to become part of Babylon.

Defi
Decentralized Finance
Asset Management
Crypto
Cryptocurrency

--

--

Ramon Recuero
Babylon.finance

Written by Ramon Recuero

1.2K Followers
Editor for

Cofounder at Kinto. Previously at Babylon Finance, Y Combinator, Zynga, Google and OpenZeppelin.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams