DeFi protocol Rari Capital plans to reimburse its affected users after a hacker managed to exploit its liquidity pool, draining 10 million worth of Ethereum (ETH) – around 60% of users’ funds.
Jai Bhavnani, Rari Capital CEO, said the protocols’ core contributors have agreed to return 2 million of their $RGT —which was initially allocated for developers as an incentive— back to the DAO and reimburse impacted users.
According to a postmortem, the attacker drained the pool by taking a flash loan from the exchange dYdX to deposit ETH and make repeated withdrawals. The protocol will prevent deposits and withdrawals in the same block to avoid these flash loan attacks.
ETH Pool Exploited
The Rari Capital Ethereum Pool transfers ETH into Alpha Finance’s ibETH token. However, developers were not aware of a function in the ibETH token that could artificially inflate its value. The attacker took advantage of that function, manipulating the contract to withdraw more funds than deposited. He stole 2600 ETH of the Ethereum Pool, according to David Lucid, Rari Capital’s lead developer.
Rari Capital is still discussing proposals via community calls. The first security measure is to require all upcoming protocols the company integrates with to review their integrations, stating that protocols “know the code they wrote better than anyone else.”
As for auditing, the company is waiting for an audit with OpenZeppelin and plans to enlist other auditing firms rather than Quantstamp.
DeFi Hacks on the Rise
Rari Capital is the latest DeFi hack. The Rari Governance Token (RGT) tumbled 50% following the news, going from $18 to $8. However, the coin managed to recover to $12 at the time of writing.
There have been numerous attacks in the DeFi space recently. As reported by CryptoPotato, at least $50 million disappeared from Uranium finance in an apparent hack. However, most users in the crypto community speculate of a possible rug pull.