Analysis of Rari being hacked: happy to do aggregation but helplessly attacked

On May 8, 2021, according to Lianwen, the Ethereum income aggregation protocol Rari Capital had a loophole due to the integration of Alpha Finance, and lost nearly 15 million US dollars. Afterwards, Rari Capital officially released the accident analysis report, analyzing the main causes of the accident. On the basis of the official analysis, the SlowMist security team combined the in-depth analysis of the incident by the SlowMist security team to further interpret the cause of the security accident.

This attack occurred in the RariManger contract of Rari Capital. The whole process is that the attacker first borrowed a huge amount of funds from dYdX through flash loans, and then repeatedly called the deposit and withdraw functions in the RariManger contract to complete the profit. As shown below:

Indian cricket legend Sachin Tendulkar to release exclusive NFT series on NFT platform Rario: October 20 news, Indian cricket legend Sachin Tendulkar becomes a strategic investor in cricket-focused NFT platform Rario, Tendulkar's life and career Iconic career moments will be available exclusively on Rario.com in the form of NFTs. It is reported that Rario has previously established exclusive partnerships with other famous cricketers, including Aaron Finch, Fafdu Plessis, Rishabh Pant, Virender Sehwag and Zaheer Khan. Additionally, Rario has partnerships with various cricket boards, major tournaments and has a roster of over 900 international cricketers. (Coindesk) [2022/10/20 16:32:29]

OpenSea has officially launched OpenRarity, an open standard for NFT rarity: On September 22, OpenSea has officially launched OpenRarity, an open standard for NFT rarity. Users can already view it in the series of NFT projects Cool Cats, Pudgy Penguins, and Moonbirds. Opt-in their NFT to OpenRarity by navigating to their settings page.

Note, OpenRarity is an open NFT rarity standard jointly developed by OpenSea, NFT analysis tool Curio, NFT analysis platform icy.tools, and Moonbirds parent company PROOF. Degree ranking transparency, developers can access OpenRarity scores and rankings through the API. [2022/9/22 7:12:51]

So how do users profit from the two operations of deposit and withdraw? We need to analyze the corresponding function:

Tribe DAO Proposes $157M Redemption Plan to Distribute Crypto Assets to Token Holders and Rari Hack Victims: Golden Finance reports that Tribe DAO has made a proposal to shut down its protocol operations. It is a roughly $157 million redemption program that distributes remaining assets controlled by The DAO to TRIBE holders and compensates victims of the Rari hack that occurred in April. Any approval will need to be in a future DAO vote by token holders. The redemption proposal will compensate the hack victims in this incident with the team’s 88.9 million unvested TRIBE tokens, which will release about $16 million to the victims. For TRIBE holders, the total amount of assets controlled by the DAO is approximately $141 million, which will be distributed proportionally.

On April 30, Rari Capital’s funding pool was attacked, worth approximately $80 million. (The Block)[2022/8/20 12:37:18]

LooksRare launched the batch listing function: On April 15, LooksRare has launched the batch listing function. Users can now list NFT in batches at the same or different prices. [2022/4/15 14:25:48]

The above is part of the logic of the deposit function. First, the deposit function itself calls the internal _depositTo function, and then calls the getFundBalance function again to obtain the balance of the contract. The getFundBalance function will eventually call the getBalance function of the Rari Controller contract to obtain the balance. Finally, the balance is obtained through the getBalance function of the AlphaPoolController library in the Rari Controller contract. As shown below:

The transaction volume of LooksRare in the NFT market is US$14.68 billion: Jinse Finance reported that according to data from dappradar, the total transaction volume of LooksRare in the NFT market reached US$14.68 billion, ranking second in the NFT market. [2022/2/8 9:36:41]

The process is slightly complicated, and it is roughly as follows to show it with a diagram:

From the above analysis, it is not difficult to find that the Rari contract finally uses the totalETH function of the ibETH contract of the Alpha Finance project to obtain the balance of the contract. The purpose is to calculate the real ETH balance of the Rari contract based on the ratio of totalETH and totalSupply. The deposit function is to calculate the amount of REPT to be issued to the user based on the amount of ETH recharged by the user and the ratio, and the formula of the withdraw function is similar. It is also necessary to obtain the ETH balance of the contract through the getBalance function and calculate the ratio, and then according to the user's REPT token The balance and ratio calculations need to return the amount of ETH to the user. But the problem is precisely with this formula for getting the ETH balance.

According to the official description, the value obtained from the totalETH function obtained from the ibETH contract can be manipulated by the user. The following is the official text:

According to the official description, users can manipulate the value returned by the totalETH function through the work function of the ibETH contract, causing the entire value calculation formula of Rari to collapse. We analyze the work function and totalETH function of ibETH respectively:

totalETH function:

work function:

The above are partial implementations of the totalETH function and the work function in the ibETH contract. It is not difficult to find that the totalETH function is actually to obtain the total ETH amount of the contract. The work function itself is a payable function, that is to say, the user can control the amount of ETH in the ibETH contract through the work function to change the value returned by totalETH. To make matters worse, the work function also supports calling other arbitrary contracts. Then the whole idea is very clear.

1. Make a flash loan from dYdX and lend a large amount of ETH;

2. Use a part of ETH to recharge into the Rari Capital contract. At this time, the ratio obtained from ibETH is still normal;

3. Use the remaining ETH to recharge into the ibETH contract, call the work function of the ibETH contract, and prepare for the subsequent push up of the totalETH return value of the ibETH contract;

4. At the same time, in the work function, the withdrawal of the Rari Capital contract is initiated. Since the totalETH value has been pushed up in the previous step, but the calculated value of totalETH()/totalSupply() is pulled up compared to the recharge, so that the attacker can get from Rari Use the same amount of REPT in Capital to get more ETH.

According to this analysis, the main reason is the incompatibility of the protocol. The attacker attacked Rari Capital through flash loans and re-entry, causing huge losses. The SlowMist security team suggests that as DeFi gradually becomes more complex, when each DeFi project interacts between protocols, it is necessary to ensure compatibility between protocols to avoid losses caused by protocol compatibility issues.

[Reference Link]

Rari Capital official analysis:

https://medium.com/rari-capital/5-8-2021-rari-ethereum-pool-post-mortem-60aab6a6f8f9

Attack transaction (one of them):

https://etherscan.io/tx/0x171072422efb5cd461546bfe986017d9b5aa427ff1c07ebe8acc064b13a7b7be

By: yudan@slow fog security team

Tags：

MATIC