Decentralized finance (DeFi) platform Fei Protocol offered hackers a $10 million bounty to negotiate and retrieve a large chunk of stolen funds from various Rari Fuse pools worth $79,348,385.61 — nearly $80 million .
On Saturday, Fei Protocol informed its investors about an exploit in numerous Rari Capital Fuse pools and demanded that the hackers return the stolen funds in exchange for a $10 million premium and a no-questions-asked pledge.
We are aware of an exploit in various Rari Fuse pools. We identified the root cause and paused borrowing to mitigate further damage.
For the exploiter, please accept a bounty of $10 million and ask no questions when returning the remaining user funds.
— Fei Protocol (@feiprotocol) April 30, 2022
While the exact losses from the exploit have not been officially released, DeFi investigator BlockSec’s monitoring system uncovered a loss of more than $80 million – citing the root cause as a typical reentrancy vulnerability. While reentrancy bugs have been the main culprit in many exploits within the DeFi ecosystem, the $80 million loot makes the Fei protocol one of the biggest reentrancy hacks of all time.
Upon further investigation, Rari developer Jack Longarzo revealed a total of six vulnerable pools (8, 18, 27, 127, 144, 146, 156) that were temporarily suspended while an internal fix was in progress. At the time of writing, Rari’s internal and external security engineers were working with DeFi service provider Compound Treasury to further investigate and neutralize the hack.
Blockchain investigator PeckShield provided further insight into the development and narrowed the exploit down to a reentrancy bug that allows hackers to use a function and make external calls to another untrusted contract.
Old reentrancy bug bites compound forks again with $80m loss! This time it reenters via exitMarket()!!!
Attention all compound forks in EVM compliant chains. Get in touch with your auditors now or contact us if we can be of any further assistance pic.twitter.com/M9JElTWMSd
— PeckShield Inc. (@peckshield) April 30, 2022
Security-focused ranking platform CertiK told Cointelegraph that the attacker sent 5400 Ether (ETH) or $15,298,900 to Tornado Cash at the time of writing and still has 22,672.97 ETH or $64,245,245.43 at the time of writing keeps in his wallet. The attack drained funds from the Rari pool while leaving the Fei pools (Tribe, Curve) untouched.
Last year, on May 8th, 2021, Rari Capital fell victim to a high-priced exploit related to its integration with Alpha Venture DAO, formerly Alpha Finance Lab. At the time of writing, there have been no official announcements from the Fei Protocol team regarding the findings of their investigation.
Related: Plan $1M in bug rewards and double nodes after a $600M Ronin hack
As the crypto community goes through an ever-evolving battle against hackers, numerous projects and protocols have decided to strengthen their security measures. On Thu, the Ronin Network and Sky Mavis revealed plans to update their smart contracts — following the previous month’s $600 million hack.
We’ve put together an autopsy on the March 23 Ronin exploit.
• Why it happened
• What we are doing to ensure this never happens again
• Ronin Bridge Reopening Updatehttps://t.co/FfwCtCG84E
— Ronin (@Ronin_Network) April 27, 2022
The United States Federal Bureau of Investigation (FBI) attributed the attack to North Korea-based and state-sponsored hacking group Lazurus as it issued a warning to other crypto and blockchain organizations.
https://cointelegraph.com/news/rari-fuze-hacker-offered-10m-bounty-by-fei-protocol-to-return-80m-loot The Rari Fuze hacker offered a $10 million bounty from the Fei Protocol to return $80 million in loot