On May 8, 2021, according to ChainNews, the Ethereum yield aggregation protocol Rari Capital experienced a vulnerability due to its integration with Alpha Finance, resulting in a loss of nearly 15 million USD. Following the incident, Rari Capital’s official team released an analysis report, detailing the main causes of the accident. Based on the official analysis and a thorough investigation by the SlowMist Security Team, we further interpret the reasons for this security incident.
Attack Details Analysis
This attack occurred in Rari Capital’s RariManager contract. The entire process involved the attacker first borrowing a large amount of funds through a flash loan from dYdX, and then repeatedly calling the deposit and withdraw functions in the RariManager contract to generate profit. As shown in the following diagram:
So how did the user profit from the deposit and withdraw operations? We need to analyze the corresponding functions:
The above is part of the deposit function logic. First, the deposit function itself will call the internal _depositTo function, and then it will call the getFundBalance function again to obtain the contract balance. The getFundBalance function eventually calls the getBalance function in the Rari Controller contract to obtain the balance. Finally, the balance is obtained through the getBalance function in the AlphaPoolController library of the Rari Controller contract. As the following image:
The process is slightly complicated, and when illustrated with a diagram, it would look like this:
From the above analysis, it is not difficult to see that the Rari contract ultimately uses Alpha Finance’s ibETH contract’s totalETH function to obtain the contract’s balance. The purpose is to calculate the real ETH balance of the Rari contract based on the ratio of totalETH to totalSupply. The deposit function calculates the number of REPT tokens to be issued to users based on the amount of ETH deposited by the user and the ratio. Similarly, the withdraw function also requires the getBalance function to obtain the contract’s ETH balance and calculate the ratio. Then, based on the user’s REPT token balance and the ratio, it calculates the amount of ETH to be returned to the user. However, the problem lies precisely in this formula for obtaining the ETH balance.
According to the official description, the value obtained from the totalETH function in the ibETH contract can be manipulated by users. The following is the official original text:
According to the official description, users can manipulate the value returned by the totalETH function through the work function in the ibETH contract, causing the entire value calculation formula of Rari to collapse. Let’s analyze the work function and totalETH function in the ibETH contract separately:
totalETH function:
work function:
The above are partial implementations of the totalETH function and work function in the ibETH contract. It is not difficult to see that the totalETH function is actually used to obtain the total amount of ETH in the contract. The work function, on the other hand, is a payable function, meaning that users can control the amount of ETH in the ibETH contract through the work function, thereby changing the value returned by the totalETH function. Even worse, the work function also supports calling any other contracts. With this in mind, the whole idea becomes quite clear.
Attack Process
1. Carry out a flash loan from dYdX, borrowing a large amount of ETH.
2. Use a portion of the borrowed ETH to deposit into the Rari Capital contract. At this point, the ratio obtained from ibETH is still normal.
3. Use the remaining ETH to deposit into the ibETH contract and call the work function of the ibETH contract to prepare for increasing the totalETH value returned in the next step.
4. Initiate a withdrawal from the Rari Capital contract within the work function. Since the totalETH value has been pushed higher in the previous step, the calculated totalETH()/totalSupply() value is relatively higher compared to the deposit, allowing the attacker to obtain more ETH from Rari Capital using the same amount of REPT.
Summary
The main reason for this attack was the incompatibility between protocols. The attacker utilized flash loans and reentrancy to exploit Rari Capital, resulting in significant losses. SlowMist Security Team suggests that as DeFi projects become increasingly complex, proper compatibility between protocols should be ensured during interactions to avoid losses caused by protocol incompatibilities.
[References]
Rari Capital official analysis:
https://medium.com/rari-capital/5-8-2021-rari-ethereum-pool-post-mortem-60aab6a6f8f9
Attack transaction (one of them):
https://etherscan.io/tx/0x171072422efb5cd461546bfe986017d9b5aa427ff1c07ebe8acc064b13a7b7be
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.
Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/
