- $10 million bounty was offered along with “no questions asked” constraint by Fei protocol.
- This bug is much older than the programming language solidity itself.
Rari Fuse pool which has a five-month merger with Fei Protocol has faced an attack of $80 million by the hackers. This came to light when the Fei protocol made the following tweet on 04/30/2022.
While, according to Lei Wu, Chief Technical Officer of Blocksec, 5400 ETH has already been transferred to Torando Cash, a platform used for breaking the on-chain links between sender & receiver by the hackers. Also, PeckSheild has analyzed this attack and mentioned it’s due to the re-entrancy defect in the smart contracts, as mentioned in their tweet.
“The old reentrancy bug bites again on Compound forks w/ $80M loss! This time, it re-enters via exitMarket()!!! “
This bug is much older than the programming language solidity itself. A simple explanation of what is it is, “when contract A calls contract B, and contract B calls contract A, when A still has not updated its state and it leads to some unexpected harmful behaviour”, given by Paweł Kuryłowicz, Principal IT Security Consultant.
The major instances of re-entrancy hacks are $25 million Uniswap/Lendf.Me hacks, $18.8 million CREAM FINANCE hack, $7.2 million The BurgerSwap hack. Though different tools and methods have been employed for the prevention of this attack, everything falls short since they are developed based only on the previous histories and studying those patterns.
The immutable characteristics also act as a disadvantage here, since if a new path for re-entrancy is being detected then developers are not able to update the existing contract, rather whole new smart contract has to be created. The time period in between becomes a boon to the hackers. Moreover, a $10 million bounty was offered along with “no questions asked” constraint by Fei protocol to the hacker.
We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage.— Fei Protocol (@feiprotocol) April 30, 2022
To the exploiter, please accept a $10m bounty and no questions asked if you return the remaining user funds.