Distributed Networks Institute
Fei Protocol Hack: $80 Million Stolen in Reentrancy Attack
Summary
On April 30, 2022, Fei Protocol, a decentralized finance (DeFi) protocol that merged with Rari Capital in 2021, was hacked for $80 million. The attacker exploited a reentrancy vulnerability in the protocol’s smart contracts to withdraw funds from the protocol’s reserves.
Attackers
The identity of the attacker(s) is unknown.
ERC-20
- FeiProtocol-Fuse Exploiter: 0x6162759eDAd730152F0dF8115c698a42E666157F
Losses
$80 Million
Timeline
- April 30, 2022, 09:01:35 AM +UTC: The hacker exploited a reentrancy vulnerability in lending protocol
- April 30, 2022, 10:23:58 AM +UTC: Funds have started to be laundered through Tornado Cash.
Security Failure Causes
- Reentrancy Vulnerability: The attacker exploited two functions within the contracts of Fei Protocol: exitMarket and borrow. The exitMarket function is responsible for ensuring that a deposit is not being utilized as collateral for any loan, after which it permits the withdrawal of the deposit. Meanwhile, the borrow function permits a user to secure a loan by using a deposited asset as collateral. However, this function does not adhere to the check-effects-interaction pattern, rendering it susceptible to exploitation.