Business

The Rari Fuze hacker offered a $10 million bounty from the Fei Protocol to return $80 million in loot

Decentralized finance (DeFi) platform Fei Protocol offered hackers a $10 million bounty to negotiate and retrieve a large chunk of stolen funds from various Rari Fuse pools worth $79,348,385.61 — nearly $80 million .

On Saturday, Fei Protocol informed its investors about an exploit in numerous Rari Capital Fuse pools and demanded that the hackers return the stolen funds in exchange for a $10 million premium and a no-questions-asked pledge.

While the exact losses from the exploit have not been officially released, DeFi investigator BlockSec’s monitoring system uncovered a loss of more than $80 million – citing the root cause as a typical reentrancy vulnerability. While reentrancy bugs have been the main culprit in many exploits within the DeFi ecosystem, the $80 million loot makes the Fei protocol one of the biggest reentrancy hacks of all time.

blank
call flow. Source: BlockSec

Upon further investigation, Rari developer Jack Longarzo revealed a total of six vulnerable pools (8, 18, 27, 127, 144, 146, 156) that were temporarily suspended while an internal fix was in progress. At the time of writing, Rari’s internal and external security engineers were working with DeFi service provider Compound Treasury to further investigate and neutralize the hack.

Blockchain investigator PeckShield provided further insight into the development and narrowed the exploit down to a reentrancy bug that allows hackers to use a function and make external calls to another untrusted contract.

Security-focused ranking platform CertiK told Cointelegraph that the attacker sent 5400 Ether (ETH) or $15,298,900 to Tornado Cash at the time of writing and still has 22,672.97 ETH or $64,245,245.43 at the time of writing keeps in his wallet. The attack drained funds from the Rari pool while leaving the Fei pools (Tribe, Curve) untouched.

Last year, on May 8th, 2021, Rari Capital fell victim to a high-priced exploit related to its integration with Alpha Venture DAO, formerly Alpha Finance Lab. At the time of writing, there have been no official announcements from the Fei Protocol team regarding the findings of their investigation.

Related: Plan $1M in bug rewards and double nodes after a $600M Ronin hack

As the crypto community goes through an ever-evolving battle against hackers, numerous projects and protocols have decided to strengthen their security measures. On Thu, the Ronin Network and Sky Mavis revealed plans to update their smart contracts — following the previous month’s $600 million hack.

The United States Federal Bureau of Investigation (FBI) attributed the attack to North Korea-based and state-sponsored hacking group Lazurus as it issued a warning to other crypto and blockchain organizations.