Rari Capital loses $10 million in Ether

Spartan Protocol

Rari Capital automates yield farming by working a balance between the pools and user funds. It's the latest protocol to suffer from an attack, with 2600 ETH in user funds lost from the ETH - ibETH pool. Approximately 60% of user funds were taken.

RGT's price dropped by nearly 50% as a result of the attack, from $17.39 to $9.10. The price has since recovered and was trading at $14.24 on 10th May.

The attacker had attacked Value DeFi only hours before, and used the profits earned to attack Rari Capital in a cross-chain attack. The attacker washed the funds via Tornado Cash.

Overview of the attack

The attacker took out a ETH flashloan from dYdX and deposited the ETH into Rari Capital's Ethereum pool. Rari used Alpha Finance's ibETH token as one of its yield-generating strategies for ETH deposits.

Rari contributors were not aware that ibETH.totalETH can be manipulated inside the ibETH.work function, or that a user of ibETH.work can call any contract it wants to inside ibETH.work, including the Rari Capital Ethereum Pool deposit and withdrawal functions.

Affected users are being compensated

The community discussed the best course of action to compensate affected users. It was decided that approximately 2 million RGT, which had been allocated to protocol contributors and ecosystem expansion, would be used as a compensation fund.