Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot

Please fol­low and like us:
Pin Share

Decen­tral­ized finance (DeFi) plat­form Fei Pro­to­col offered a $10 mil­lion boun­ty to hack­ers in an attempt to nego­ti­ate and retrieve a major chunk of the stolen funds from var­i­ous Rari Fuse pools worth $79,348,385.61 — near­ly $80 million.

On Sat­ur­day, Fei Pro­to­col informed its investors about an exploit across numer­ous Rari Cap­i­tal Fuse pools while request­ing the hack­ers to return the stolen funds against a $10 mil­lion boun­ty and a “no ques­tions asked” commitment.

While the exact loss­es from the exploit were not offi­cial­ly released, DeFi inves­ti­ga­tor BlockSec’s mon­i­tor­ing sys­tem detect­ed a loss of more than $80 mil­lion — cit­ing the root cause as a typ­i­cal reen­tran­cy vul­ner­a­bil­i­ty. While reen­tran­cy bugs have been the main cul­prit in many exploits with­in the DeFi ecosys­tem, the $80 mil­lion loot makes the Fei Pro­to­col exploit one of the largest reen­tran­cy hacks ever.

Invo­ca­tion flow. Source: BlockSec

Upon fur­ther inves­ti­ga­tions, Rari devel­op­er Jack Lon­gar­zo revealed a total of six vul­ner­a­ble pools (8, 18, 27, 127, 144, 146, 156) that have been tem­porar­i­ly paused while an inter­nal fix is under­way. At the time of writ­ing, Rari’s inter­nal and exter­nal secu­ri­ty engi­neers part­nered with DeFi ser­vice provider Com­pound Trea­sury to fur­ther inves­ti­gate and neu­tral­ize the hack.

Pro­vid­ing fur­ther insights into the devel­op­ment, blockchain inves­ti­ga­tor Peck­Shield nar­rowed down the exploit to a reen­tran­cy bug, which allows hack­ers to use a func­tion and make exter­nal calls to anoth­er untrust­ed contract.

Secu­ri­ty-focused rank­ing plat­form Cer­tiK told Coin­tele­graph that the attack­er has sent 5400 Ether (ETH), or $15,298,900 at the time of writ­ing, to Tor­na­do Cash and still holds 22,672.97 ETH, or $64,245,245.43 at the time of writ­ing, in their wal­let. The attack has drained funds from the Rari pool while the Fei Pools (Tribe, Curve) remain unaffected.

Last year on May 8, 2021, Rari Cap­i­tal became vic­tim to a high-priced exploit that was relat­ed to the inte­gra­tion with Alpha Ven­ture DAO, pre­vi­ous­ly Alpha Finance Lab. At the time of writ­ing, there have been no offi­cial announce­ments from the Fei Pro­to­col team on the results of their investigation.

Relat­ed: Plan for $1M bug boun­ties and dou­ble the nodes in wake of $600M Ronin hack

As the cryp­to com­mu­ni­ty goes through an ever evolv­ing bat­tle against hack­ers, numer­ous projects and pro­to­cols have decid­ed to amp up their secu­ri­ty mea­sures. On Th, the Ronin Net­work and Sky Mavis revealed plans to upgrade their smart con­tracts — fol­low­ing the $600 mil­lion hack in the pre­vi­ous month.

The Unit­ed States Fed­er­al Bureau of Inves­ti­ga­tion (FBI) attrib­uted the attack to North Korea-based and state-spon­sored hack­ing group Lazu­rus, as it fired off a warn­ing to oth­er cryp­to and blockchain organizations.



Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published. Required fields are marked *