Hackers steal $90 million from DeFi platforms Rari Capital and Saddle Finance
Two decentralized finance platforms were attacked this weekend by hackers who ended up stealing a total of $90 million.
Rari Capital’s Jack Longarzo said the company was attacked through an exploit and Fei Protocol, a company that merged with Rari Capital, offered the hacker a $10 million bounty. CoinGecko data shows Fei is the 11th largest stablecoin based on market cap.
Blockchain security company BlockSec explained that the hackers used a reentrancy vulnerability. Reentrancy attacks involve bugs in contracts that allow an attacker to withdraw funds repeatedly in a loop before the original transaction is approved or declined or the funds need to be returned.
Longarzo said the attack was conducted through Rari Capital’s DeFi lending market creator for developers called Fuse. Fixes for the vulnerability are being worked on, according to Longarzo, but the company did not respond to requests for comment about how user’s will be compensated for their losses.
On April 30, another platform – Saddle Finance – reported that about $10.3 million was stolen from their platform.
They attempted to contact the hacker to offer a bounty but noted that BlockSec managed to get $3.8 million worth of stolen funds back to Saddle Finance.
The company said it would pay BlockSec about $380,000 for returning some of the stolen funds.
They are in the process of deciding how to reimburse users who lost funds in the attack and wrote that they plan to put the decision up for a vote.
Saddle Finance allows users to sell and trade stablecoins – cryptocurrencies pegged to fiat money.
Blockchain security firm PeckShield said 3,633 ETH stolen during the attack are still in the attacker’s account but 300 ETH – about $850,000 – has already been deposited into cryptocurrency mixing service Tornado.