Decentralized finance (DeFi) platform Fei Protocol offered a $10 million bounty to hackers in an attempt to negotiate and retrieve a major chunk of the stolen funds from various Rari Fuse pools worth $79,348,385.61 — nearly $80 million.
On Saturday, Fei Protocol informed its investors about an exploit across numerous Rari Capital Fuse pools while requesting the hackers to return the stolen funds against a $10 million bounty and a “no questions asked” commitment.
While the exact losses from the exploit were not officially released, DeFi investigator BlockSec’s monitoring system detected a loss of more than $80 million — citing the root cause as a typical reentrancy vulnerability. While reentrancy bugs have been the main culprit in many exploits within the DeFi ecosystem, the $80 million loot makes the Fei Protocol exploit one of the largest reentrancy hacks ever.
Upon further investigations, Rari developer Jack Longarzo revealed a total of six vulnerable pools (8, 18, 27, 127, 144, 146, 156) that have been temporarily paused while an internal fix is underway. At the time of writing, Rari’s internal and external security engineers partnered with DeFi service provider Compound Treasury to further investigate and neutralize the hack.
Providing further insights into the development, blockchain investigator PeckShield narrowed down the exploit to a reentrancy bug, which allows hackers to use a function and make external calls to another untrusted contract.
Security-focused ranking platform CertiK told Cointelegraph that the attacker has sent 5400 Ether (ETH), or $15,298,900 at the time of writing, to Tornado Cash and still holds 22,672.97 ETH, or $64,245,245.43 at the time of writing, in their wallet. The attack has drained funds from the Rari pool while the Fei Pools (Tribe, Curve) remain unaffected.
Last year on May 8, 2021, Rari Capital became victim to a high-priced exploit that was related to the integration with Alpha Venture DAO, previously Alpha Finance Lab. At the time of writing, there have been no official announcements from the Fei Protocol team on the results of their investigation.
As the crypto community goes through an ever evolving battle against hackers, numerous projects and protocols have decided to amp up their security measures. On Th, the Ronin Network and Sky Mavis revealed plans to upgrade their smart contracts — following the $600 million hack in the previous month.
The United States Federal Bureau of Investigation (FBI) attributed the attack to North Korea-based and state-sponsored hacking group Lazurus, as it fired off a warning to other crypto and blockchain organizations.