Fei Protocol Offers $10M Bounty After $80M Rari Capital Exploit

An exploit enabled attackers to drain $80 million in crypto from decentralized finance (DeFi) platform Rari Capital’s liquidity pools, according to a tweet today by blockchain and smart contract audit firm BlockSec.

The BlockSec team called the security flaw a “typical reentrance vulnerability,” and tweeted again with a picture displaying the offending code.

Algorithmic stablecoin Fei—the self-touted “Stablecoin for DeFei”—also had contributed liquidity to Rari Capital’s exploited pools. Fei has a market cap of well over half a billion dollars, making it the 11th largest stablecoin, according to data from CoinGecko. 

In December, Fei merged with Rari Capital. Rari enables the creation of so-called Fuse Pools—permissionless lending pools—that anyone with a wallet can access from anywhere to lend or borrow ERC-20 tokens. No minimum funds are required of users.

Fei and Rari’s joint effort got off the ground with $2 billion in liquidity.

Fei Protocol acknowledged the exploit on Twitter shortly before BlockSec’s report, saying, “We have identified the root cause and paused all borrowing.” Fei also promised a $10 million bounty to the attackers if they return the stolen funds.

Fei is trading a little below its peg, at $0.9895, as of this writing.

$11 million in 2021

This isn’t Rari Capital’s first major exploit. In May of last year, a hacker stole 2,600 ETH (worth around $11 million at the time) from Rari Capital users. 

At the time, CEO Jai Bhavnani said Rari team members would be sacrificing their RGT allocations and putting them toward the reimbursement. When the companies merged, Fei Protocol assumed some of Rari’s liabilities stemming from that exploit.

The best of Decrypt straight to your inbox.

Get the top stories curated daily, weekly roundups & deep dives straight to your inbox.