Hackers steal $90 million from DeFi platforms Rari Capital and Saddle Finance
Two decentralized finance platforms were attacked this weekend by hackers who ended up stealing a total of $90 million.
Rari Capital confirmed reports from several blockchain security companies on April 30 that about $80 million worth of cryptocurrency was stolen through their platform.
Rari Capital’s Jack Longarzo said the company was attacked through an exploit and Fei Protocol, a company that merged with Rari Capital, offered the hacker a $10 million bounty. CoinGecko data shows Fei is the 11th largest stablecoin based on market cap.
Rari is aware of an exploit on various Fuse pools. Borrowing has been paused globally and no further funds are at risk.
— Jack Longarzo (@JackLongarzo) April 30, 2022
The Rari team, and the rest of the Tribe, are working mitigate the loss and recover exploited funds, and will provide updates as soon as they are available.
Blockchain security company BlockSec explained that the hackers used a reentrancy vulnerability. Reentrancy attacks involve bugs in contracts that allow an attacker to withdraw funds repeatedly in a loop before the original transaction is approved or declined or the funds need to be returned.
Over the last year, several DeFi platforms have been hit with reentrancy attacks, including Revest Finance, Ola Finance, and Cream Finance.
Longarzo said the attack was conducted through Rari Capital’s DeFi lending market creator for developers called Fuse. Fixes for the vulnerability are being worked on, according to Longarzo, but the company did not respond to requests for comment about how user’s will be compensated for their losses.
Rari Capital previously lost $15 million in cryptocurrency during a price manipulation attack in May 2021.
On April 30, another platform – Saddle Finance – reported that about $10.3 million was stolen from their platform.
5/ ~$10.3M was indeed hacked (https://t.co/w8Afnra3y5). We are trying to reach the attacker to negotiate a bounty.
— Saddle (@saddlefinance) April 30, 2022
**If you are the attacker please DM us to discuss**
They attempted to contact the hacker to offer a bounty but noted that BlockSec managed to get $3.8 million worth of stolen funds back to Saddle Finance.
The company said it would pay BlockSec about $380,000 for returning some of the stolen funds.
They are in the process of deciding how to reimburse users who lost funds in the attack and wrote that they plan to put the decision up for a vote.
Saddle Finance allows users to sell and trade stablecoins – cryptocurrencies pegged to fiat money.
Blockchain security firm PeckShield said 3,633 ETH stolen during the attack are still in the attacker's account but 300 ETH – about $850,000 – has already been deposited into cryptocurrency mixing service Tornado.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.