Fei Protocol Hack: $80 Million Stolen in Reentrancy Attack

April 30, 2022

Summary #

On April 30, 2022, Fei Protocol, a decentralized finance (DeFi) protocol that merged with Rari Capital in 2021, was hacked for $80 million. The attacker exploited a reentrancy vulnerability in the protocol’s smart contracts to withdraw funds from the protocol’s reserves.

Attackers #

The identity of the attacker(s) is unknown.

ERC-20

FeiProtocol-Fuse Exploiter: 0x6162759eDAd730152F0dF8115c698a42E666157F

Losses #

$80 Million

Timeline #

April 30, 2022, 09:01:35 AM +UTC: The hacker exploited a reentrancy vulnerability in lending protocol
April 30, 2022, 10:23:58 AM +UTC: Funds have started to be laundered through Tornado Cash.

Security Failure Causes #

Reentrancy Vulnerability: The attacker exploited two functions within the contracts of Fei Protocol: exitMarket and borrow. The exitMarket function is responsible for ensuring that a deposit is not being utilized as collateral for any loan, after which it permits the withdrawal of the deposit. Meanwhile, the borrow function permits a user to secure a loan by using a deposited asset as collateral. However, this function does not adhere to the check-effects-interaction pattern, rendering it susceptible to exploitation.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam