After a $11 million attack earlier today, Rari Capital is the latest decentralized finance (DeFi) protocol to fall victim to a high-priced exploit
The platform, which builds optimized yield vaults and boutique lending pools, confirmed the attack in a Tweet and said that a full postmortem is forthcoming:
Per whitehat hacker Emiliano Bonassi, the exploit appears to be an “evil contract” exploit, in which an attacker ‘tricks’ a contract into thinking a hostile contract should have access or permissions. Alpha Finance announced in a Tweet that the hack was related to Rari’s interest-bearing ibETH vault, but that no Alpha funds were at risk:
The hacker’s wallet currently holds 4,005 ETH worth over $15,000,000, but a portion of those funds appear to be from a separate exploit.
Like many before him, the attacker appears to have considered sending a message to the Rari team, but cancelled the transaction. Because he paid a low gas fee, however, observers were able to notice the message as a pending transaction before it was cancelled:
While taking the aborted victory lap, the attacker’s message also seemed to imply that the Alpha Homura team prevented an additional $6 million drain.
Already users are taking to Twitter to speculate about what form the team’s compensation plan might take. Compensating users affected by hacks and exploits is becoming an increasingly common practice, most recently with EasyFi revealing their compensation plan after a crippling $60 million exploit.
The Rari Capital team has often been a target of both community support and derision. The team is notably young, with one developer reportedly being 15 years old. One of their key investors, Twitter user Tetranode, joked on a recent Up Only podcast that, despite only being middle aged, the team frequently and playfully taunts him as a “boomer.”
As such, while some have criticized the team and attempted to blame youthful inexperience for the attack, other have noted that security practices in DeFi are continually evolving and have been quick to voice support for the team, including SushiSwap CTO Joseph Delong:
$RGT, Rari's governance token, is down 23.24% to $13.35 on the news.