Rari hacked accident analysis: happy to do aggregation, but not attacked

With DeFi gradually becoming more complex, DeFi projects need to do a good job of compatibility between protocols when interacting with each other to avoid losses caused by protocol compatibility issues.

Rari hacked accident analysis: happy to do aggregation, but not attacked

On May 8, 2021, Rari Capital, an ethereum revenue aggregation protocol, lost nearly $15 million due to a vulnerability arising from its integration with Alpha Finance. After the incident, Rari Capital officially released an incident analysis report, analyzing the main causes of the incident. Based on the official analysis, the Slow Fog security team combined with the in-depth analysis of the incident by the Slow Fog security team to further explain the causes of this security incident.

Analysis of the details of the attack
The attack occurred in the RariManger contract of Rari Capital. The whole process is that the attacker first lent a huge amount of money from dYdX through the lightning loan, and then repeatedly called the deposit and withdraw functions in the RariManger contract to complete the profit.

So how does the user profit from the deposit and withdraw operations? We need to analyze the corresponding functions.

Rari hacked accident analysis: happy to do aggregation, but not attacked
Rari hacked accident analysis: happy to do aggregation, but not attacked

The above is part of the logic of the deposit function, first the deposit function itself will call the internal _depositTo function, then it will call the getFundBalance function again to get the balance of the contract. getFundBalance function will eventually call the Rari Controller to get the balance of the contract. The getFundBalance function will eventually call the getBalance function of the Rari Controller contract to get the balance. Finally, the getBalance function of the AlphaPoolController library in the Rari Controller contract is used to get the balance. The following diagram.

Rari hacked accident analysis: happy to do aggregation, but not attacked

The process is slightly more complex and is illustrated in a diagram that looks like this.

Rari hacked accident analysis: happy to do aggregation, but not attacked

From the above analysis, it is easy to see that the Rari contract ultimately uses the totalETH function of the ibETH contract of the Alpha Finance project to get the balance of the contract, in order to calculate the real ETH balance of the Rari contract based on the ratio of totalETH to totalSupply. The deposit function calculates the amount of REPT to be issued to the user based on the amount of ETH recharged by the user and the ratio, while the withdrawal function has a similar formula, which also requires the getBalance function to obtain the ETH balance of the contract and calculate the ratio, and then calculates the amount of ETH to be returned to the user based on the balance of the user’s REPT tokens and the ratio. then calculate the amount of ETH to be returned to the user based on the balance of the user’s REPT tokens and the ratio. But the problem lies precisely in the formula for getting the ETH balance.

According to the official description, the value obtained by the totalETH function from the ibETH contract can be manipulated by the user. Here is the official text.

Rari hacked accident analysis: happy to do aggregation, but not attacked

According to the official description, the user can manipulate the value returned by the totalETH function through the work function of the ibETH contract, causing the entire value calculation formula of Rari to crash. Let’s analyze the ibETH work function and the totalETH function separately.

totalETH function.

Rari hacked accident analysis: happy to do aggregation, but not attacked

work function.

Rari hacked accident analysis: happy to do aggregation, but not attacked

The above is a partial implementation of the totalETH function and the work function of the ibETH contract, respectively. It is easy to see that the totalETH function actually gets the total amount of ETH in the contract. The work function, on the other hand, is a payable function, which means that the user can control the amount of ETH in the ibETH contract through the work function to change the value returned by totalETH. What’s worse, the work function also supports calling any other contract. Then the whole idea is clear.

Attack process

  1. make a lightning loan from dYdX and lend a large amount of ETH.

2, use part of the ETH to charge to the Rari Capital contract, when the ratio obtained from ibETH is still normal.

  1. use the remaining ETH to fill the ibETH contract and call the work function of the ibETH contract to prepare the return value of totalETH for the subsequent push up of the ibETH contract.
  2. In the work function, a withdrawal of the Rari Capital contract is initiated at the same time. Since the totalETH value has been pushed up in the previous step, the calculated totalETH()/totalSupply() value is pulled up relative to the recharge, thus allowing the attacker to obtain more ETH from Rari Capital using the same amount of REPT to obtain more ETH from Rari Capital.

Summary
The main reason for this analysis is the protocol incompatibility issue, and the attacker attacked Rari Capital through lightning credits and re-entry, causing a huge loss. The Slow Fog security team recommends that as DeFi gradually becomes more complex, each DeFi project needs to do a good job of compatibility between protocols when interacting with each other to avoid losses caused by protocol compatibility issues.

[Reference Link
Rari Capital Official Analysis.
https://medium.com/rari-capital/5-8-2021-rari-ethereum-pool-post-mortem-60aab6a6f8f9
Attack Transactions (one of them).
https://etherscan.io/tx/0x171072422efb5cd461546bfe986017d9b5aa427ff1c07ebe8acc064b13a7b7be

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/rari-hacked-accident-analysis-happy-to-do-aggregation-but-not-attacked/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-05-09 16:28
Next 2021-05-09 16:48

Related articles