2021 Rari Capital Hacking Analysis

This hacking happened on May 8 2021. The steal is about 2600 ETH(about 10M USD). Hacker uses dydx FlashLoan to attack RairCapital Fund Manager contract up to 91 times. Let’s see what’s going on.

Rari Capital Introduction

“Rari Capital, The smartest roboadvisor that ensures you receive the highest yield, far beyond just lending.” — from Cypherhunter. Rair Capital provides 3 pools to users, Stable Pool, Yield Pool and ETH Pool. ETH Pool is the hacked pool we are talking about today. Basically, Rari Capital is like yValut.

Attack Transaction Types

The first attack has happened on 2021/5/8 at 01:48:21 PM UTC. One attack includes two types of transactions, Work and Donate transactions. Work transaction is to change the Rari Capital pool token(RariFundToken) rate and uses FlashLoan to amplify the result. Donate transaction is to steal ETH and prepare the next attack. You can see Work and Donate transaction appear in pair.

Work Tx Main Flow:

• FlashLoan Dydx
• Deposit ETH to Rari pool
• Send ETH to IbETH contract
• Withdraw ETH from Rari pool

Donate Tx Main Flow:

• Get RariFundToken balance
• Withdraw ETH by using the remaining RariFundToken

Attack Tx Flow

Work Transaction:

Work Tx Step:

1. Hacker call ibEth.work(data)
2. ibETH call SushiswapGobin.work(data)
3. SushiswapGobin get strategy address and strategy data (ext) from decode(data)
4. SushiswapGobin call StrategyAddTwoSidesOptimal.execute(ext)
5. StrategyAddTwoSidesOptimal get fToken address from decode(ext)
6. StrategyAddTwoSidesOptimal get SushiSwap pool (fToken-Weth) information。That’s why the hacker need to create the pool(fToken-Weth) of shshiswap before hacking.
7. StrategyAddTwoSidesOptimal call fToken.approve(). Attack start!
8. fToken uses dydx flashLoan, withdraw about 5000 WETH from dydx pool
9. dydx call fToken.callFunction()
10. fToken get 5000 ETH through execute WET.withdraw()
11. fToken deposits 5000 ETH to RariFundManager
12. RariFundManager call RariFundController._getPoolBalance(pool) to get pool balance.
13. RariFundController call ibEth.totalETH() for alphaController.getBalance()
14. RariFundController calculate and return balance by the alphaController.getBalance(): (ibEth.balanceOf(Manager) * (_ibEth.totalETH())) / (_ibEth.totalSupply())​
15. RariFundManager get fundBalance(controller balance and pool balance)
16. RairFundManager calculate RariFundToken Amount to user: reptAmount = (amount * reptTotalSupply)/fundBalance
17. Mint receAmount ReriFundToken to fToken
18. fToken send 1063 ETH to ibETH contract for increasing ibEth.totalETH()
19. fToken withraw 5000 ETH from RariFundManager
20. RariFundManager call RariFundController._getPoolBalance(pool) to get pool balance.
21. RariFundController call ibEth.totalETH() for alphaController.getBalance(). But ibEth.totalETH() has been increased by step18.
22. RariFundController return balance. The balance is increased because _ibEth.totalETH() has been increased.
23. RariFundManager executes getPEPRBurnAmount() to calculate how much RariFundToken needs to be burned. reptAmount = (amount * reptTotalSupply)/fundBalance. reptAmount will be decreased because fundBalance has been increased. That means to withdraw the same ETH amount by burning a few RariFundToken.
24. Burn RariFundToken
25. Send ETH to fToken
26. fToken swap ETH to WETH
27. fToken deposit ETH to dydx pool (payback). fToken.approve() Finish.
28. The end of the ibEth.work() will return excess ETH to the sender. It will return 1063 ETH in step18 to the hacker

Donate Transaction:

Donate Tx Step:

1. Hacker call fToken.donate() with ETH value. ETH value is preparation for next attack.
2. fToken call FundManager.balanceOf() to get how much ETH can be withdrawn.
3. fToken call FundManager.withdraw to withdraw ETH using remaining RariFundToken.

Related Txs and Contracts:

• Hacker creates fToken Tx
• Hacker creates SushiSwap pool Tx
• One of Attack Work Tx
• One of Attack Donate Tx
• Alpha Finance Lab: ibETH Token
• Hacker Ftoken
• Rari Capital: REPT Fund Manager (Proxy)
• Rari Capital: REPT Fund Manager (Implement)
• RariFundToken(Proxy)
• RariFundToken (Implement)
• Rari Capital: REPT Fund Controller

In Blockchain, contract interaction is straightforward and common. But with the Defi combination, the potential risk is also up. The root cause of hacking is the issue of integration between Defi Protocols. Both Alpha Protocol and Rari Capitialrun run well individually, but the problem comes up when they integrated. We should be more careful about the integration of Defi protocols. Especially every hacking bring lots of damage to lose in Blockchain.

Reference:

• https://www.rekt.news/rari-capital-rekt/
• RariCapital Twitter
• 5/8/2021: Rari Capital Ethereum Pool — Post-Mortem
• 慢雾： Rari 被黑事故分析