Rari Capital falls victim to $11 million exploit

Rari’s RGT token is plummeting on the news.

After a $11 million attack earlier today, Rari Capital is the latest decentralized finance (DeFi) protocol to fall victim to a high-priced exploit 

The platform, which builds optimized yield vaults and boutique lending pools, confirmed the attack in a Tweet and said that a full postmortem is forthcoming:

There has been an exploit in the Rari Capital ETH Pool related to our @AlphaFinanceLab integration.

The rebalancer has removed all funds from Alpha in response.

We are currently investigating the situation and a full report will be shared once everything is assessed.

— Rari Capital (@RariCapital) May 8, 2021

Per whitehat hacker Emiliano Bonassi, the exploit appears to be an “evil contract” exploit, in which an attacker ‘tricks’ a contract into thinking a hostile contract should have access or permissions. Alpha Finance announced in a Tweet that the hack was related to Rari’s interest-bearing ibETH vault, but that no Alpha funds were at risk:

Funds are SAFE on #AlphaHomora.

We are notified that @RariCapital has suffered from an exploit that was due to the incorrect assumption when using HomoraBank contract, as they were setting up an ibETH pool on their platform.#Alpha team is here to help.

— Alpha Finance Lab (@AlphaFinanceLab) May 8, 2021

The hacker’s wallet currently holds 4,005 ETH worth over $15,000,000, but a portion of those funds appear to be from a separate exploit. 

Like many before him, the attacker appears to have considered sending a message to the Rari team, but cancelled the transaction. Because he paid a low gas fee, however, observers were able to notice the message as a pending transaction before it was cancelled:

The hacker has left a base64-encoded message saying

alpha=ok # saved rari 6mhttps://t.co/WQpiPksDOX pic.twitter.com/ruMH8Wam5s

— banteg (@bantg) May 8, 2021

While taking the aborted victory lap, the attacker’s message also seemed to imply that the Alpha Homura team prevented an additional $6 million drain. 

Already users are taking to Twitter to speculate about what form the team’s compensation plan might take. Compensating users affected by hacks and exploits is becoming an increasingly common practice, most recently with EasyFi revealing their compensation plan after a crippling $60 million exploit.

The Rari Capital team has often been a target of both community support and derision. The team is notably young, with one developer reportedly being 15 years old. One of their key investors, Twitter user Tetranode, joked on a recent Up Only podcast that, despite only being middle aged, the team frequently and playfully taunts him as a “boomer.”

As such, while some have criticized the team and attempted to blame youthful inexperience for the attack, other have noted that security practices in DeFi are continually evolving and have been quick to voice support for the team, including SushiSwap CTO Joseph Delong:

This is a tragedy, we love that team

— Jo-sofa De-lounge (@josephdelong) May 8, 2021

$RGT, Rari’s governance token, is down 23.24% to $13.35 on the news.