1/n We have finished a preliminary analysis of a recently $80M exploit from @RariCapital. Here's we think how the attack was pulled off. πŸ‘‡Here's the one sample exploit TXs

2/n The Compound codebase has had a known problem of a broken check-effect-interaction pattern in the borrow function of CToken, aka re-entrancy. However, this would only be exploitable if there's an underlying asset that has a transfer hook. E.g. ERC-777

3/n However many forks, including Compound itself are not exploited. Why? Because as long as they check if a token has a transfer hook before adding it to the market, the re-entrancy puzzle is incomplete.

4/n Rari uses a much older codebase that has another problem. Particularly in CEther, It's using .call.value()() instead of .transfer() to send out ETH! This is a re-entrancy pattern because if the receiver is a contract, it can make a call to another/same contract via receive().

5/n By combining these two, it's possible to completely all borrowable funds. As we can see in Cream finance hack, after borrowing an asset, the transfer hook will be triggered, but the debt balance is not yet updated. So one can borrow another time.

6/n 2 months ago, @samczsun, @hritzdorf, and @YSmaragdakis (of @Dedaub) reported this issue to Rari. Rari patched it by adding a global re-entrancy guard in all CToken. So that even when there's a re-rentrancy, one cannot re-enter any other functions. A $2M bounty was awarded.

7/n However, this was proved to be not enough! While all state changing functions are protected by the re-entrancy guard in CToken, functions in Comptroller are not. Especially in exitMarket().

8/n Calling Comptroller.exitMarket() makes a deposited asset no longer a collateral, so it can be withdrawn at any time. Of course, the function checks if the current health factor allows an asset to be disabled. But What if you can bypass the check?

9/n Here's how the attack works: 1. Flashloan asset and deposit into Rari 2. Borrow ETH, which triggers re-entrancy (debt not updated yet) 3. Call exitMarket. Now the asset is no longer collateral & can be withdrawn. 4. Repay flashloan 5. Attacker gets borrowed eth for free

10/n 6. Attacker repeat the progress until all borrowable funds are drained As we can see in many previous exploits of lending protocols, most of them have more or less the same root cause (re-entrancy & Compound). Compound has a lot of technical debts it seems.

cc @RektHQ

Follow us on Twitter

to be informed of the latest developments and updates!

You can easily use to @tivitikothread bot for create more readable thread!
Donate πŸ’²

You can keep this app free of charge by supporting 😊

for server charges...