Defi Lender Rari Capital hacked Offers $10M Bounty to Hacker

[lionheart78]

Yet another Defi Hack happened early this Saturday.  Rari Capital a Defi Lending platform had been hacked by more than $80M last Saturday.  It was said that it the hacker exploited a reentrancy vulnerability in Rari's Fuse lending protocol.  Amidst the chaos Fei Protocol, which merged last December with Rari, offered to let the attacker keep $10 million of the stolen funds as a "bounty" if the remaining funds were returned.  Details can be read on this Article

Highlights of the report:

The hacker exploited a reentrancy vulnerability in Rari's Fuse lending protocol, according to a tweet by smart contract analysis firm Block Sec.

BlockSec Tweet link:
https://twitter.com/BlockSecTeam/status/1520350965274386433
Tweet Screenshot:

   According to a tweet from Blockchain security firm PeckShield, the same vulnerability has been used to attack other forks of the Compund DeFi protocol.

    Rari Capital acknowledged the hack, saying borrowing has been paused globally and that no further funds were at risk.

    Fei Protocol, which merged last December with Rari, offered to let the attacker keep $10 million of the stolen funds as a "bounty" if the remaining funds were returned.

Fei Protocol tweet offering link:
https://twitter.com/feiprotocol/status/1520344430242254849
Tweet Screenshot:


if we may recall this is not the first time Rari Capital had been hacked, it was also hacked last year on May 9, 2021 .

This brings a serious question on the capability of the developer and security programmer of the said platform.  Imagine, the platform is hacked twice in a span of 1 year.  The offer of Fei protocol seems a good move but this leaves me to think that the culprit is within the team, I hope I am wrong though.

[JeffBrad12]

rari was a garbage defi and i hope that the investors who got affected caused by this hack was alsotaking legal action against rari when this platform unable to recover the funds. This garbage defi and fei protocols never tried to learn from their mistake. This garbage blockchain has been hacked at least for 3 times and pretty similar like happened with BZRX.
The stolen amount must be reimbursed by the team. Anyone needs to brought the dev into the legal action. even if that was a hacked case.

[Xal0lex]

It's no surprise to me, DeFi break-ins happen almost every day. Here's another one. Again. Smart contracts are still extremely vulnerable, even if they have been audited 2-3 times by a major company. That means absolutely nothing. As they have been hacked, they are still being hacked.

I think the hacker gave up the bounty because he was focused specifically on finding a vulnerability that would bring him a good profit from his activities (we are talking about 70 million). It is a good thing that Polygon was able to negotiate with the hacker about the bounty, otherwise it would have been a very massive loss and possibly the death of the ecosystem.

[Husires]

It is a shame to hear the word decentralized and hack in one sentence, and the strangest thing is that 10 million dollars are freely available to the hacker, I do not know, but I doubt the novel and say that the reason:

• The hacker is one of the people who work on the platform.
• This is money laundering.
• The platform has a weak developer team and it will be impossible for them to trace the hacker.
• This is an attempt to evade tax.

Unfortunately, there is no news about what they will do to close this vulnerability, which appears in the infrastructure of the system.
They should remove the word decentralization from their company.

[Yogee]

.... Again. Smart contracts are still extremely vulnerable, even if they have been audited 2-3 times by a major company. That means absolutely nothing. As they have been hacked, they are still being hacked.

I've read some previously exploited projects that were audited but they did not fix the vulnerabilities found during the audit.

......

Ever thought that these so called hacks could be the doing of companies or persons with smart contract audit services? I mean it's a win-win situation for them. They would look good if they investigate what happened and gain trust of the community while enjoying the money that was stolen.

P.S. Tornado Cash have been getting a lot of free publicity because of these exploits hehe.

[DapanasFruit]

Sad to note that the platform has come under the mercy of the hackers...as if begging for them to consider the offer of $10 million in return for the $80 million successfully hacked from the system. Now, if I am one of the hackers, why would I ever consider such an offer, in the first place? What can't be denied are the many vulnerabilities' with so many DeFi projects but it would be a lot sadder if the truth is that the hackers behind the whole mess are actually connected with the very people behind the platform...and this is not a far-pitched idea actually. The bottom line is that it would be users, the small investors that are always at the losing end.

[shinratensei_]

I would not be surprised to see this news. Fei protocol was very popular caused by so many hacked cases happened with it. The only question in my mind is how stupid people who have been putting their money into the defi that has become a popular caused by its hacked case. I will call that the stupidest people ever i seem. It doesn't make sense if invest in a platform that regularly got hacked and why is it happening? Those people are not screaming about their money but they never care about their money by using the garbage defi like rari.

[vv181]

Here's another one. Again. Smart contracts are still extremely vulnerable, even if they have been audited 2-3 times by a major company. That means absolutely nothing. As they have been hacked, they are still being hacked.

I believe this is not the first project that was already hacked and yet being hacked again. It is horrific to know this scenario could happen. in the first place, they should have taken more precautious measures, especially if it had already been hacked once.

I think the hacker gave up the bounty because he was focused specifically on finding a vulnerability that would bring him a good profit from his activities (we are talking about 70 million). It is a good thing that Polygon was able to negotiate with the hacker about the bounty, otherwise it would have been a very massive loss and possibly the death of the ecosystem.

Ideally, a bug bounty program should incentivise the bug hunter more than the potential amount that can be lost, otherwise, the project could only rely on the hackers' conscience or motive.

[Xal0lex]

Ever thought that these so called hacks could be the doing of companies or persons with smart contract audit services? I mean it's a win-win situation for them. They would look good if they investigate what happened and gain trust of the community while enjoying the money that was stolen.

We can't be 100% sure about any hack at all that has occurred in the crypto space. Simply because that is the nature of cryptocurrencies. I don't rule out the fact that some protocols or auditors could initiate a hack to appropriate all (or part) of the liquidity, and then just restart a similar project but with a different name. Exchanges that have been hacked could do the same thing. They could just steal funds and reopen under different names.

It's more like a conspiracy theory or something, but the fact is that DeFi is still a very wild environment for investors, even though it is decentralized, but the risks of decentralization seem to me to be much higher, because everything is built on smart contracts, which are riddled with vulnerabilities.

[RussianEnglishTranslation]

I be the hacker is going to wash the funds using 0xMonero and Tornado cash. sad

[o48o]

I be the hacker is going to wash the funds using 0xMonero and Tornado cash. sad

Instead of trying to wash stolen money he could have 10m totally legally and officials wouldn't be on him. Washing money properly also costs a LOT so 10m would be a huge score and actually contain no risks like other solutions.

[Teraboy]

I be the hacker is going to wash the funds using 0xMonero and Tornado cash. sad

Yeah but again if tornado cash was not fully decentralized. I should remind you when the tornado cash able to block the ronin hacker address from using the service. I don't believe if any of these kind of protocols are truly centralized. They have their owners and im sure that if the owner will always have at least a way to enter into the protocol to control it.
Tornado cash already proven that if that was true. Im sure that when the team requesting it and tornado cash will be blocking it.
That's how crypto work today.

[Jaered]

Too bad. These hacks are getting too frequent these days. I'm even afraid of using these protocols. By the way, I don't think the hacker would agree to take only 10 million dollars were of tokens if he has access to much more. Quite debatable

[Scripture]

Too bad. These hacks are getting too frequent these days. I'm even afraid of using these protocols. By the way, I don't think the hacker would agree to take only 10 million dollars were of tokens if he has access to much more. Quite debatable

Its very rare to see a deal like this with the hacker, its like tolerating their bad intentions instead of making the platform more safe and ask for a legal teams to find those hackers. We’ve seen many recoveries already from the hackers but its because the team works hard to locate the funds just like on Axie with a help of Binance.

[Faisal2202]

There offer to intruder of 10m dollar shows that, things had got out of their hands now, hacker has the week point of this platform, But i think it's all some sort of drama to stole investor's money, like 2 times hacking no recovering even after the audited by big firms, but there always present a loop hole like for Bean landing protocol, i personally observe the price and tvl of that platform from 150m dollar to 0 dollar, More than 600 million dollars were stolen from ronin(axis infinity product) well, previous year hacking was also of 600 million, but many of the cases i have seen that hacker had returned the assets or just donate it, but i don't think so it happened here, so it's all the drama to show sympathy towards investors, may god help these investors, 

[cryptoaddictchie]

This brings a serious question on the capability of the developer and security programmer of the said platform.  Imagine, the platform is hacked twice in a span of 1 year.  The offer of Fei protocol seems a good move but this leaves me to think that the culprit is within the team, I hope I am wrong though.

Actually your theory mifht be true someone from the inside could be part of the scheme or if not, then we can totally blame the team or dev for this irresponsibility of not having secure their platform. Imagine that many people uses also rarible and this happened. Many will be dissapointed and possibly shift other good platform such as opensea and looksrare.

[lobo13hf]

By the way, I don't think the hacker would agree to take only 10 million dollars were of tokens if he has access to much more. Quite debatable

If that will become a good amounts of money for the hacker and that's fine. A bit surprised that if this defi was getting hacked again after so many drama that happened in the last when another case of hack happened with it. Will people try to invest in this kind of token again? i doubt that if people will be learning from their past experience. Im sure that the developers of this defi was so amateur as reentrancy vulnerability already exist since a long time ago and what already done by the team before? why don't they patched it? lol

[el kaka22]

These type of hacks will continue to happen because we are talking about digital money and digital could be hacked. Like if you hack a bank, which has happened before, then you could get away as much as you can before they realize it and they will catch you since there is a trail of you based on the bank itself, or there used to be bank robberies as well.

But, when we are talking about crypto, it's all digital and hacking is a part of the digital world. So, no matter how well something is secured, it will always be under the threat of getting hacked one day, even if it never gets hacked, it will always be tried to get hacked. Can you imagine how many people are trying to hack Binance every single day? It must be thousands.

[tabas]

I'm not a technical guy to understand how it got hacked. But usually, these really are really the main targets of these hackers, the DeFis and exchanges.
Are people still trusting these projects that are calling themselves decentralized? The idea is good and the intention but it seems that we're always going to see a news of hack on this side of the crypto market.

[bitkanu]

I be the hacker is going to wash the funds using 0xMonero and Tornado cash. sad

Anyone that can be the hacker will be also doing the same thing like you but don't know whether you will be intereted with the 10m bounty that already offered or not. So the question is how the team will be reimburse all of funds that already stolen by the hacker when hacker didn't even interested to take the bounty that already offered for hacker by the developers.
This will become a horrible thing for rari. The dev needs to do something or they will be in a serious problem