(5/8/21) Rari Capital Exploit Timeline & Analysis

Rari Exploiter address (same address as Value Defi exploiter on BSC): https://etherscan.io/address/0xcb36b1ee0af68dce5578a487ff2da81282512233

Exploiter net gain: ~2600 ETH (~$10M)

On Saturday May 8th 1:48PM UTC, an exploiter started a series of transactions to Rari Capital’s Ethereum Pool contract and was able to exploit ~2600 ETH in the process that lasted for ~50 minutes.

High-level Exploit Analysis

  • Rari Capital’s Ethereum Pool contract calculates the ibETH/ETH exchange rate by using the ibETH.totalETH()/ibETH.totalSupply() calculation from the ibETH contract, which can lead to incorrect assumption (e.g. during the work function call, where debt value gets updated towards the very end).

Exploit & Action Timeline

  • 1:48PM +UTC Rari Exploiter started executing the exploit

The Exploit Technical Analysis

The exploit comes in a set of 2 (repeated) transactions:

Tx 1 ("work" call to Alpha Homora):

  1. Exploiter flashloans 59k ETH from dYdX.

Tx 2 ("donate" call to RariFundController):

  1. Exploiter calls donate to redeem underlying ETH from the extra REPT.

Remarks

Special thanks to PeckShield team for the quick notification and thorough investigation.

Also, the war room was quickly set up shortly after the Rari Capital exploit. DeFi developers and white-hackers, including C.R.E.A.M. team, Yearn team, Emiliano Bonassi, Calvin Chu, all gathered in the war room to help investigate and track the exploit. So, just want to say thanks to all.

Lead Engineer & Blockchain Researcher of Alpha Finance Lab | Ex-CRO OZT Robotics | B.S. & M.Eng. @MIT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store