Fairyproof’s Analysis of the Attack on Rari Capital
On April 30, 2022, Rari Capital, a DeFi application deployed on Ethereum was attacked.
The attacker’s address was 0x6162759edad730152f0df8115c698a42e666157f on Ethereum.
The attacking contract was deployed at 0x32075bad9050d4767018084f0cb87b3182d36c45 on Ethereum
The contract that had a vulnerability was deployed at 0xd77E28A1b9a9cFe1fc2EEE70E391C05d25853cbF on Ethereum.
In this incident, the exploited crypto assets were valued at around $79.21 million.
The “doTransferOut” function in the “CEther.sol” had a vulnerability that would suffer from a re-entrancy attack. The code was as follows:
The call function here suffered from a re-entrancy attack. And the attack was enlarged by using a flash loan.
The exploited assets included 6073 ETHs, 20.25 million FeiUSDs, 14.27 million DAIs, 1.94 million LUSDs, 2.75 million USTs, 13.10 million FRAXs, and 10.05 million USDCs and 132000 USDTs.
The hacker exchanged these ERC-20 tokens for ETHs and got a total of 28072 ETHs valued at around $79.21 million.
The hacker cashed out 5400 ETHs via Tornado Cash.
Fairyproof would like to reiterate three suggestions to prevent this issue from happening:
- Projects that forked Compound’s core functional code should add locks to prevent re-entrancy attacks.
- Always change states before making transfers
- Be cautious about using “SafeTransferETH”. Using “transfer” is preferable to using “SafeTransferETH”.