Reaper Attack: Fei Protocol Vulnerability Leads to $79.35 Million Theft Event Analysis

On April 30, 2022, Beijing time, Fei Protocol announced that they are investigating a vulnerability on the Rari Fuse pool. At present, the project has suspended all loans to reduce further losses, and publicly provided the attacker with 10 million US dollars in exchange for the user funds stolen by the hacker, and promised not to ask questions afterwards.

The total reported loss so far is approximately $79.35 million, and the attackers have sent 5,400 ETH (approximately $15.3 million) to Tornado Cash, although they still hold 22,672.97 ETH (approximately $64.25 million) in their wallets. This attack has exhausted the funds of the Rari coin pool, and the Fei coin pool (Tribe, Curve) has not been affected yet.

A Rari team member responded to this in the project Discord, saying",as well as",as well as"PCVs in Fuse pools may be at risk"。

The Rari team member also confirmed that lendable-only assets were vulnerable, although the situation has since improved.

Preliminary reports indicate that this vulnerability is likely to be caused by re-entrancy, the most common error in smart auditing and the culprit for many vulnerabilities—such as the infamous The DAO hack in 2016 and several hackers in recent years. major agreement ↓

○ In April 2020, Uniswap/Lendf.Me was attacked by hackers using a reentrancy vulnerability, and the stolen assets were 5 million US dollars.

○ In May 2021, BurgerSwap was maliciously used by hackers due to false contracts and a re-entrant vulnerability, and the stolen assets were 7.2 million US dollars.

○ In August 2021, SURGEBNB was stolen. Hackers seem to have used re-entry-based price manipulation to carry out the attack. The stolen assets in this incident were 4 million US dollars.

○ In August 2021, the re-entrancy vulnerability of CREAM FINANCE allowed hackers to carry out secondary loans, and the stolen assets were 18.8 million US dollars.

○ In September 2021, the Siren protocol was attacked, with $3.5 million in stolen assets - its AMM pool was attacked by re-entry.

CertiK published an article on reentrancy attacks on medium this week: https://certik.medium.com/what-is-a-reentrancy-attack-6516fefc001

write at the end

write at the end

In light of this, nearly $80 million in stolen assets made Fei Protocol the largest reentrancy attack victim ever.

On April 1, 2022, Rari Capital published a security update report on Medium stating that they had patched a security issue related to Fuse pools.

This patch fixes a known vulnerability in Compound by preventing the reentrancy required by the function. Although this approach protects many system functions, it does not work for exitMarket(). Even with the global reentrancy lock active, when a malicious attacker receives ETH, they can call exitMarket().

Fei Protocol also had some issues earlier this month when they could have stopped the bug before it happened but it didn't go so well: they found a bug through their bug bounty program which caused them to close the rebate while they were fixing the bug program.

As of now, the Fei Protocol team has not officially announced their findings.