Read on Twitter
1/7
Rari Capital lost a lot of funds as a result of a complex exploit, right?
However, things are far from simple, and we witnessed the first cross-chain exploit, so let’s see how it went
Rari Capital lost a lot of funds as a result of a complex exploit, right?
However, things are far from simple, and we witnessed the first cross-chain exploit, so let’s see how it went
2/7
Hackers obtained funds to attack Rari by stealing them from vSafe from @value_defi on BSC (4th attack).
Unfortunately, I was concentrating on the AMM exploit, so I didn’t notice that their yield farm was also affected.
5,346 BNB ($3.8M) were stolen and swapped to 1k ETH.
Hackers obtained funds to attack Rari by stealing them from vSafe from @value_defi on BSC (4th attack).
Unfortunately, I was concentrating on the AMM exploit, so I didn’t notice that their yield farm was also affected.
5,346 BNB ($3.8M) were stolen and swapped to 1k ETH.
3/7
The attacker’s actions on BSC looked like this:
1) Create a fake token and pool on PancakeSwap with it so that Alpaca Finance can be used
The next two steps are repeated
The attacker’s actions on BSC looked like this:
1) Create a fake token and pool on PancakeSwap with it so that Alpaca Finance can be used
The next two steps are repeated
4/7
2) Interact with Alpaca Finance, where when calling approve() for a fake token, a payload is called, which allows an attacker to use VSafe through Codex farm to get vSafeWBNB
3) Convert vSafeWBNB to WBNB
4) All WBNB transferred to Ethereum through Anyswap.
2) Interact with Alpaca Finance, where when calling approve() for a fake token, a payload is called, which allows an attacker to use VSafe through Codex farm to get vSafeWBNB
3) Convert vSafeWBNB to WBNB
4) All WBNB transferred to Ethereum through Anyswap.
5/7
In general, the attack on Rari looked like this:
1) Creating a fake token and pool with it on SushiSwap
The next two steps are repeated
2) Interaction with Alpha Homora, where a payload is also called so that attacker can get ibETH in the Rari ETH pool contract
In general, the attack on Rari looked like this:
1) Creating a fake token and pool with it on SushiSwap
The next two steps are repeated2) Interaction with Alpha Homora, where a payload is also called so that attacker can get ibETH in the Rari ETH pool contract
6/7
3) Converting ibETH to ETH in Rari ETH pool
As a result, 2.9k ETH ($11.1M) was stolen, and another 1.7k ETH was at risk before the actions of the Rari team.
The total profit from the two attacks was $15M in ETH.
3) Converting ibETH to ETH in Rari ETH pool
As a result, 2.9k ETH ($11.1M) was stolen, and another 1.7k ETH was at risk before the actions of the Rari team.
The total profit from the two attacks was $15M in ETH.
7/7
The interoperability between DeFi protocols is becoming more complex, which opens up new vectors of attacks.
This attack was similar in difficulty to the Pickle Evil Jar and will become even more frequent in the future.
The interoperability between DeFi protocols is becoming more complex, which opens up new vectors of attacks.
This attack was similar in difficulty to the Pickle Evil Jar and will become even more frequent in the future.
