TL;DR
On 30 April 2022, Fei Protocol announced that they were aware of and looking into an exploit on various Rari Fuse pools, that turned out to be a common re-entrancy attack. The total loss reported was ~$80 Million.
Event Summary
On April 30 2022, at 09:01:35 AM +UTC Fei Protocol announced that they were aware of and looking into an exploit on various Rari Fuse pools. The total loss reported was at ~$80 Million. They paused all borrowing to minimize further loss and publicly offered the attacker $10 million to return the user funds. At ~$80 million this makes the FEI exploit one of the largest re-entrancy hacks ever.
The attack drained funds from the Rari pool whilst the Fei Pools (Tribe, Curve) remain unaffected. A Rari team member confirmed that only borrowable assets were vulnerable in the attack.
Initial reports indicate this exploit is likely due to a re-entrancy bug which has affected and been main culprit in MANY exploits, including the infamous DAO hack in 2016 and several major protocols in the past like:
- Uniswap/Lendf.Me hacks (April 2020) – $25 million, attacked by a hacker using a reentrancy.
- The BurgerSwap hack (May 2021) – $7.2 million because of a fake token contract and a reentrancy exploit.
- The SURGEBNB hack (August 2021) – $4 million seems to be a reentrancy-based price manipulation attack.
- CREAM FINANCE hack (August 2021) – $18.8 million, reentrancy vulnerability allowed the exploiter for the second borrow.
- Siren protocol hack (September 2021) – $3.5 million, AMM pools were exploited through reentrancy attacks. (Ref:Hackernoon)
In December, Fei merged with Rari Capital. Rari enabled the creation of Fuse Pools— permissionless lending pools— that anyone with a wallet can access from anywhere to lend or borrow ERC-20 tokens. No minimum funds are required of users.
On 01 April 2022, Rari Capital released a Security Upgrade Report on Medium, stating they had patched a security issue relating to Fuse pools. This patch fixed known vulnerabilities in Compound by blocking re-entrancy on functions that required it. Although they protected many of their system's functions, they did not protect exitMarket(). When the exploiter received ETH, they could then call exitMarket() even though a global reentrancy lock is active.
Fei Protocol also previously suffered difficulties earlier this month when a bug that was discovered through their bug bounty program caused them to shut down their rebate program while they fixed a vulnerability. At that time, they were able to block an exploit before any happened, which sadly was not the case in this instance.
Reference to prior FEI incident:
Fei Protocol Vulnerability Postmortem
Fei Protocol struggles with a bug as holders are mostly unable to sell the token
Rari Capital: Fuse Security Upgrade Report
Explained: The Fei Protocol Bug (April 2021)
Re-entrancy: Hack Solidity: Reentrancy Attack | HackerNoon
Attack Technical Analysis
Take 0xab48... as an example:
- Attacker flash loaned 150,000,000 USDC and 50,000 WETH
- Deposited 150,000,000 USDC as collateral into fUSDC-127 contract for loans, which is a fork of vulnerable smart contract of Compound protocol.
- The attacker borrows 1,977 ETH via the “borrow()” function
- However, the “borrow()” function does not follow the check-effect-interaction pattern and transfers ETH to the attacker’s contract before updating the attacker’s borrow records.
- Therefore, with the attacker’s borrow record not updated, the attacker made a re-entrant call to “exitmarket()” that allows the attacker to withdraw his collateral (150M USDC)
- Attacker repeated the steps on multiple other tokens.
- Finally, the attacker repaid the flashloan and transferred the rest as profit.
Contract Vulnerability Analysis
This attack was due to a design flaw in the Fei Protocl that failed to follow the check-effect-interaction pattern and thus allow the attacker to make a re-entrant call before the borrow records are updated.
In the “borrow()” function, the following code is implemented:
As the code illustrates, the “doTransferOut()” is invoked before the borrow records (i.e., “accountBorrows[]” and “totalBorrows” ) are updated.
The “doTransferOut()” function transfers ETH to the receiver via a low-level call:
Therefore, the attacker is able to make a re-entrant call in the “fallback()” function to “makeExit()”.
Profit and Assets Tracing
How much does the attacker earn?
| Token | Transfer to 0xe39f3c4 |
|---|---|
| ETH | 6037.814 |
| DAI | 14278990.68 |
| USDC | 10055556.33 |
| FRAX | 13101364.94 |
| UST | 2765891.006 |
| RAI | 31615.8714 |
| FEI | 7119260.782 |
| USDT | 132959.9008 |
| LUSD | 1948952.179 |
Where are the stolen assets?
Claim process:
| TX hash | Attacker out | Attacker in |
|---|---|---|
| 0xa733e | 3,106.26 ETH | |
| 0x8ad7c | 11,924,074.79 FEI 3,184,115.06 DAI 1,948,952.18 LUSD | |
| 0x0d712 | 5,000,000.00 FEI | 4,995,000.00 DAI |
| 0xa5cc5 | 5,000,000.00 FEI | 1,766.06 WETH |
| 0xd5628 | 1,924,074.79 FEI | 1,922,150.72 DAI |
| 0x901af | 548,950.00 LUSD | 194.21 WETH |
| 0x229f0 | 3,364,504.99 FRAX 1,691,470.42 FEI, 1,250,000.00 UST (Wormhole), 963,852.76 DAI, 487.74 ETH | |
| 0x1c387 | 700,002.18 LUSD | 247.59 WETH |
| 0x3305b | 1,691,470.42 FEI | 596.10 WETH |
| 0x86c69 | 3,364,504.99 FRAX | 1,186.29 WETH |
| 0xdb838 | 1,250,000.00 UST (Wormhole) | 441.34 WETH |
| 0x57be2 | 700,000.00 LUSD | 247.86 ETH |
| 0xdb873 | 10,131,022.86 DAI, 10,055,556.33 USDC, 9,736,859.95 FRAX, 6,636,057.90 FEI, 1,515,891.01 UST (Wormhole), 132,959.90 USDT, 2,443.81 ETH | |
| 0x1003a | 31,615.87 RAI | |
| 0x5352e | 5,000,000.00 USDC | 1,766.17 WETH |
| 0xd970c | 5,000,000.00 USDC 1,766.17 WETH | |
| 0x6ad1c | 55,556.33 USDC | 19.63 ETH |
| 0x64a92 | 5,736,859.95 FRAX | 2,021.04 ETH |
| 0x5ffd4 | 132,959.90 USDT | 46.91 ETH |
| 0x0cd68 | 1,515,891.01 UST (Wormhole) | 534.01 WETH |
| 0x60238 | 6,636,057.90 FEI | 2,324.16 WETH |
| 0x23c6d | 4,000,000.00 FRAX | 1,407.37 ETH |
| 0x88b49 | 31,615.87 RAI | 33.65 ETH |
| 0xb7852 | 5,000,000.00 DAI | 1,759.31 WETH |
| 0x51509 | 5,000,000.00 DAI | 1,752.73 WETH |
| 0xb5e7b | 5,000,000.00 DAI | 1,753.31 WETH |
| 0x0c7a6 | 5,000,000.00 DAI | 1,755.00 WETH |
| 0x7b779 | 1,196,141.40 DAI | 421.33 WETH |
| 0xb61d1 | 18,261.46 WETH | 18,261.46 ETH |
Would we spot the issue during the audit?
In this specific incident, a CertiK audit would pick up this particular vulnerability. Our highly skilled auditors would have spotted if the check-effect-interaction is strictly followed in the implementation of the code. Our auditors would then take their findings to the project and work with them to resolve this issue. You can read a project's audit on our website where you can check for yourself a tokens critical, major, medium, minor and informational vulnerabilities which will aid you in DYOR.
