Crypto hackers swipe $107 million in attack on DeFi projects

The hacker drained funds from several Fuse pools by exploiting a so-called reentrancy vulnerability. PHOTO: REUTERS

NEW YORK (BLOOMBERG) - Crypto projects Rari Capital and Fei Protocol said they suffered a US$77 million (S$107 million) hack on Saturday (April 30), five months after their merger.

An unverified Twitter account for Fei Protocol said it was aware of an exploit targeting various pools belonging to its merged partner Rari Capital. The tweet was verified by Fei founder Joey Santoro in a post to the decentralised-finance project's Discord server.

"We have identified the root cause and paused all borrowing to mitigate further damage," the tweet said. Fei offered a US$10 million bounty to the hacker if they returned the remaining user funds, "no questions asked".

Meanwhile, the hacker has already started moving crypto to Tornado Cash, a service that allows users to mask transactions, according to Dr Lei Wu, chief technical officer of blockchain security firm BlockSec, and a review of activity on Etherscan.

The exploit is the latest to target a DeFi network, which is designed to allow users to bypass traditional intermediaries to borrow and lend digital assets with the added feature of anonymity. In February, hackers made off with US$320 million worth of crypto after an attack on Wormhole, a communication bridge between the Solana blockchain and other DeFi networks.

Fei Protocol is focused on building an algorithmic stablecoin, pegged to the value of the United States dollar, that can be more easily used by decentralised autonomous organisations, or DAOs. Rari Capital allows investors to lend, borrow and "farm" high yields via a permissionless interest-rate protocol called Fuse.

The hacker drained funds from several Fuse pools by exploiting a so-called reentrancy vulnerability, Mr Santoro said in a post on Fei's Discord, and promised to publish a detailed post-mortem of the attack "after further analysis".

A reentrancy attack occurs when a protocol's smart contract makes a call to an external smart contract, which is responded to by a return call from the external contract that seeks to exploit a vulnerability in the initial call's code.

One of the most well-known instances of this type of attack is the 2016 hack on The DAO, according to analysis by crypto developer Moralis, the fallout from which caused the Ethereum blockchain to split itself in two.

Join ST's Telegram channel and get the latest breaking news delivered to you.