Cyber Incident Victim: Rari Capital
Date:
Apr 2022
Location:
United States of America
Summary
A decentralized finance platform suffered an $80 million exploit due to a reentrancy vulnerability in its Fuse lending market, with an associated stablecoin protocol offering a $10 million bounty to the attacker. Concurrently, another DeFi platform experienced a $10.3 million theft, though blockchain security firms recovered approximately $3.8 million of those funds. Both platforms temporarily halted operations to mitigate risks and initiated processes to reimburse affected users, including community voting on reimbursement strategies. The incident marked the second major security breach for the first platform, following a prior multimillion-dollar loss. The attackers leveraged smart contract flaws enabling repeated fund withdrawals before transaction validation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 30, 2022, Rari Capital confirmed reports from blockchain security firms that approximately $80 million in cryptocurrency had been stolen from its platform. The attack targeted multiple Fuse pools within Rari’s decentralized lending market creator for developers. Rari immediately paused all borrowing globally to prevent further losses, assuring users no additional funds were at risk. The company collaborated with Fei Protocol—a stablecoin issuer that had merged with Rari—to address the breach, with Fei offering the attacker a $10 million bounty for the return of stolen funds. Blockchain security firm BlockSec identified the exploit as a reentrancy attack, a vulnerability allowing attackers to repeatedly withdraw funds before transactions finalized. This incident marked Rari’s second major security breach, following a $15 million loss from a price manipulation attack in May 2021. Concurrently, decentralized exchange Saddle Finance reported a separate theft of $10.3 million on the same day, bringing the combined losses to over $90 million. Saddle attempted to negotiate with its attacker and recovered $3.8 million through BlockSec’s intervention.
The attackers exploited smart contract vulnerabilities inherent to both platforms’ DeFi architectures. Rari’s team worked with Fei Protocol’s developers—collectively referred to as “the Tribe”—to mitigate losses and recover funds, though no public details emerged regarding user compensation plans. Saddle Finance initiated a governance process to decide reimbursement methods, planning to put the final decision to a community vote. Blockchain analytics firm PeckShield tracked portions of Saddle’s stolen assets, noting that 3,633 ETH remained in the attacker’s wallet while 300 ETH (approximately $850,000) had been laundered through Tornado Cash, a cryptocurrency mixing service. Neither platform disclosed technical specifics of the fixes being implemented, though Rari emphasized ongoing vulnerability remediation. The incidents underscored persistent risks in DeFi protocols, particularly reentrancy flaws that had previously compromised platforms like Revest Finance, Ola Finance, and Cream Finance. Financial impacts included direct user losses, operational disruptions from paused services, and unresolved reimbursement processes for both platforms.