How Hackers Looted 2600 ETH In Rari Capital Cross-Chain Exploit

Ethereum (ETH) based yield aggregator Rari Capital was attacked this weekend by a group of bad actors. As a result, 2,600 in this cryptocurrency were stolen from the Rari Capital Ethereum Pool, as a post-mortem report released by core contributors confirmed.

The attack took place at around 1:48 PM UTC, May 8^th, with a series of transactions that lasted for almost an hour. Rari Capital’s product deposits ETH into Alpha Homoras’ ibETH interest-bearing token as part of their strategy.

The protocol’s pool contract operates with the ibETH.totalETH()/ibETH.totalSupply(), used to calculate the exchange rate for the ibETH/ETH pair. A separate report from Alpha Finance Labs claims that this operation can “lead to incorrect assumption”. Rari Capital report stated the following:

According to Alpha Finance, `ibETH.totalETH()` is manipulatable inside the `ibETH.work` function, and a user of `ibETH.work` can call any contract it wants to inside `ibETH.work`, including the Rari Capital Ethereum Pool deposit and withdrawal functions.

On Ethereum, the attack began when the bad actors took a flash loan from protocol dYdX for around 59,000 in this cryptocurrency. The funds were into Rari’s Ethereum based pool with the correct conversion rate for the aforementioned trading pair.

Then, the attackers used the function “work” which enabled them to trigger their offensive by encoding an “evil” fToken contract. This allowed the hackers to artificially inflate their ibETH/ETH rate.

At 2:29 PM +UTC, the possible root of the exploits was discovered. At 2:34 PM +UTC, actions on Alpha Homora were paused. The losses represented around 60% of all users fund in this Ethereum-based Pool. However, only Rari’s funds were lost, as Alpha Finance’s report claims. Rari Capital said:

At the end of `ibETH.work`, the value of `ibETH.totalETH()` returns to its true value, leading the Rari Capital Ethereum Pool’s balances to values lower than they were before the attack as a result of the attacker withdrawing more than they deposited while their balance was artificially inflated.

ETH Funds Stolen From Binance Smart Chain

Researcher Igor Igamberdiev revealed that the exploit was far more complex than usual. According to a separate report made by Igamberdiev, the attack on Rari Capital is the first cross-chain exploit in the crypto space.

The researcher believes that the hackers first took funds from a Binance Smart Chain yield aggregator called Value DeFi. This protocol suffers multiple attacks on its products, VSafe and VSwap, and the bad actors looted 5,346 BNB which immediately were converted into 1,000 ETH.

On Binance Smart Chain, the hackers also created a fake token which was pool into exchange PancakeSwap. This allowed them to interact with protocol Alpaca Finance. Igamberdiev stated:

Interact with Alpaca Finance, where when calling approve() for a fake token, a payload is called, which allows an attacker to use VSafe through Codex farm to get vSafeWBNB. Convert vSafeWBNB to WBNB. All WBNB transferred to Ethereum through Anyswap.

To fight these types of attacks in the future, Rari Capital took additional security steps, such as place their protocol integration under review, check all invariants for potential malfunctions, and others. However, Igamberdiev concluded the following:

The interoperability between DeFi protocols is becoming more complex, which opens up new vectors of attacks. This attack was similar in difficulty to the Pickle Evil Jar and will become even more frequent in the future.

Ethereum trades at $3,918 with a 2.1% profit in the daily chart and a 31.9% profit in the weekly chart.