Decentralized finance (DeFi) platform Fee Protocol awarded a $10 million reward to hackers in an attempt to negotiate and recover a large chunk of stolen funds from various Rari Fuse pools, worth $79,348,385.61 or about $80 million.
On 30 April, the FEI Protocol notified its investors of an exploit in several Rari Capital Fuse pools, while seeking to return the stolen funds from hackers against a $10 million bounty and a ‘no questions asked’ commitment. the requested.
We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and have stopped all borrowings to minimize further damage.
For exploiters, please accept a $10m bounty and no questions asked whether you refund the remaining user funds.
— FEI Protocol (@feiprotocol) April 30, 2022
While the exact damage caused by the exploit was not officially released, the monitoring system of DeFi investigator BlockSeq detected losses of more than $80 million – citing the root cause as a specific re-entry vulnerability. While reentry bugs have been the main culprits in many exploits of the DeFi ecosystem, the $80 million loot has made the Fee protocol one of the biggest reentry hacks ever.
Upon further investigation, Rari developer Jack Longaro revealed a total of six vulnerable pools (8, 18, 27, 127, 144, 146, 156) that have been temporarily halted while an internal fix is underway. . At the time of writing, Rari’s internal and external security engineers have partnered with DeFi service provider Compound Treasury to further investigate and neutralize the hack.
Providing further insight into the development, blockchain investigator PeckShield narrowed the exploit down to a rework bug that allowed hackers to access a function and make external calls to another untrusted contract.
Old reentry bug bites again at Compound forks w/ $80M loss! This time, it re-enters via exitMarket() !!! https://t.co/NpC8AAZRXc
Check out all the compound forks in the EVM-compliant chain. Contact your auditors now or feel free to contact us if we can be of any assistance pic.twitter.com/M9JElTWMSd
– PeckShield Inc. (@peckshield) April 30, 2022
Security-focused ranking platform CertiK told Cointelegraph that the attacker sent 5400 Ether (ETH) (~$15,298,900) to Tornado Cash and still has $64,245,245.43 (22,672.97 ETH) in his wallet. The attack has taken money out of the rai pool while the phi pool (tribe, curve) remains unaffected.
Last year, on May 8, 2021, Rari Capital became the victim of a high-priced exploit related to an integration with Alpha Venture DAO (formerly Alpha Finance Lab). At the time of reporting, there has been no official announcement from the FEI protocol team on the results of their investigation.
related: Plan a $1M bug bounty and double the nodes in the wake of the $600M ronin hack
As the crypto community continues to evolve against hackers, many projects and protocols have decided to enhance their security measures. On April 28, Ronin Networks and Sky Mavis revealed plans to upgrade their smart contracts – following a $600 million hack in the previous month.
We’ve put together a postmortem about Ronin’s exploits on March 23rd.
• why did this happen
— Ronin (@Ronin_Network) April 27, 2022
• What are we doing to make sure this doesn’t happen again?
• Ronin Bridge Re-Opening Updatehttps://t.co/FfwCtCG84E
The Federal Bureau of Investigation (FBI) blamed North Korea-based and state-sponsored hacking group Lazurus for the attack, as it warned other crypto and blockchain organizations.