Rari Capital loses $10 million in Ether
Rari Capital automates yield farming by working a balance between the pools and user funds. It's the latest protocol to suffer from an attack, with 2600 ETH in user funds lost from the ETH - ibETH pool. Approximately 60% of user funds were taken.
RGT's price dropped by nearly 50% as a result of the attack, from $17.39 to $9.10. The price has since recovered and was trading at $14.24 on 10th May.
The attacker had attacked Value DeFi only hours before, and used the profits earned to attack Rari Capital in a cross-chain attack. The attacker washed the funds via Tornado Cash.
Overview of the attack
The attacker took out a ETH flashloan from dYdX and deposited the ETH into Rari Capital's Ethereum pool. Rari used Alpha Finance's ibETH token as one of its yield-generating strategies for ETH deposits.
Rari contributors were not aware that
ibETH.totalETH can be manipulated inside the
ibETH.work function, or that a user of
ibETH.work can call any contract it
wants to inside
ibETH.work, including the Rari Capital Ethereum Pool deposit and withdrawal functions.
Affected users are being compensated
The community discussed the best course of action to compensate affected users. It was decided that approximately 2 million RGT, which had been allocated to protocol contributors and ecosystem expansion, would be used as a compensation fund.