The Fei Rari Hack: A Devastating $80 Million DeFi Exploit

On April 30, 2022, the decentralized finance (DeFi) community was rocked by a devastating attack that drained approximately $80 million from seven of Rari's Fuse pools. The Fei Rari hack sent shockwaves through the industry, highlighting the critical importance of robust smart contract security measures and thorough auditing processes in the rapidly evolving DeFi landscape.

Anatomy of the Fei Rari Hack

Exploiting Vulnerabilities in Forked Compound Code

The Fei Rari hack exposed a significant vulnerability in Rari's use of forked Compound code. This vulnerability was similar to re-entrancy incidents seen in other projects like CREAM, Hundred, and Voltage/Ola. The attack specifically targeted the _exitMarket function within the Comptroller contract, which had not been adequately protected against re-entrancy.

Attack Mechanism and Smart Contract Exploitation

The attacker employed a sophisticated approach to exploit the vulnerability:

1. Utilized flash loans to borrow substantial amounts of ETH.
2. Exploited the call.value function in the CEther contract to make recursive calls.
3. Abused the _exitMarket function to withdraw flash-loaned collateral while retaining borrowed ETH.

This clever manipulation of the system allowed the attacker to drain funds from multiple Fuse pools, resulting in a staggering loss of $79,749,026.

Affected Fuse Pools and Transaction Analysis

The hack impacted seven Fuse pools, specifically numbered 8, 18, 27, 127, 144, 146, and 156. Interestingly, despite claims that Arbitrum pools were not vulnerable, the attack also resulted in minor losses of approximately 100 ETH on the Arbitrum network.

Vulnerabilities in Similar DeFi Projects

The Fei Rari hack serves as a stark reminder of the potential vulnerabilities inherent in projects that fork popular codebases without thoroughly auditing and securing them. Several types of projects are susceptible to similar attacks:

• DeFi lending protocols using forked Compound code
• Projects not adhering to the check-effect-interaction pattern
• Protocols with insufficient re-entrancy protection mechanisms
• Smart contracts utilizing call.value for ETH transfers without proper safeguards

Expert Opinions and Post-Mortem Analysis

In the aftermath of the hack, several experts and contributors shared their insights:

• Hacxyk and Certik were among the first to note the attack, highlighting the importance of rapid response and analysis in the DeFi security landscape.
• A contributor pointed out that the vulnerability had been previously fixed in Compound's code but was reintroduced in the Rari fork, emphasizing the need for careful code review when adapting existing protocols.
• Erin Plante, Senior Director of Investigations at Chainalysis, noted the increasing trend of state-sponsored hacking in DeFi, particularly mentioning the involvement of groups like Lazarus. This observation underscores the evolving threat landscape in the crypto space.

Prevention Methods and DeFi Security Best Practices

To mitigate the risk of similar attacks, DeFi projects should consider implementing the following security measures:

1. Thorough code audits: Regularly conduct comprehensive smart contract audits, especially when forking existing codebases.
2. Implement robust re-entrancy protection: Ensure all functions susceptible to re-entrancy attacks are properly secured.
3. Adhere to the check-effect-interaction pattern: This design pattern can help prevent many types of vulnerabilities, including re-entrancy.
4. Use multi-signature wallets: Implement multi-sig solutions for critical functions to add an extra layer of security.
5. Continuous monitoring and testing: Regularly test smart contracts for vulnerabilities and monitor on-chain activity for suspicious behavior.
6. Implement fail-safe mechanisms: Consider using trusted oracles like Chainlink price feeds as additional security measures.
7. Slow down and prioritize security: In the fast-paced world of DeFi, it's crucial to take the time to address potential risks effectively.

Lessons Learned from the Fei Rari Hack

Importance of Code Review in Forked Projects

The Fei Rari hack underscores the critical need for thorough code review when forking existing projects. Even if a vulnerability has been fixed in the original codebase, it can be reintroduced during the forking process if not carefully managed.

Interoperability Risks in DeFi Protocols

The increased interoperability between DeFi protocols has created new attack vectors, as demonstrated by this hack's exploitation of multiple protocols. Projects must consider the broader ecosystem when implementing security measures.

Developer Experience and Security Expertise

The incident sparked debates within the community about the relevance of developer age and experience in the DeFi industry. It highlighted the need for protocols to invest in in-house specialists for maintaining and researching vulnerabilities.

FAQs: Understanding and Preventing DeFi Hacks

Q1: Could this hack have been prevented?

A1: Yes, the hack could have been prevented through more thorough code auditing, proper implementation of re-entrancy protection, and adherence to secure coding practices like the check-effect-interaction pattern.

Q2: What lessons can other DeFi projects learn from this incident?

A2: The key lessons include the importance of thorough security audits, especially when forking existing code, implementing robust re-entrancy protection, and continuously monitoring and testing smart contracts for vulnerabilities.

Q3: How can users protect themselves from similar hacks?

A3: While users cannot directly prevent such hacks, they can mitigate risks by diversifying their investments, using protocols with a strong security track record, and staying informed about potential vulnerabilities in the projects they interact with.

Conclusion: Building a Secure DeFi Ecosystem

The Fei Rari hack serves as a sobering reminder of the critical importance of smart contract security in the rapidly evolving DeFi landscape. As the industry continues to grow and innovate, it's imperative that projects prioritize security, implement best practices, and remain vigilant against potential threats. By learning from incidents like this, the DeFi community can work towards building a more secure and resilient ecosystem for all participants.

Vidma Security stands at the forefront of blockchain security, offering comprehensive smart contract auditing services and penetration testing for blockchain projects. With expertise across multiple DeFi protocols, layer one solutions, and marketplaces, Vidma is committed to enhancing the security of the Web3 ecosystem. To learn more about how Vidma can secure your blockchain project, visit https://www.vidma.io.