Hacked Crypto Platform Offers ‘No Questions Asked’ $10M Bounty for Stolen Funds

The exploit is one of a growing number of hacking incidents on DeFi projects in recent months


Blockworks exclusive art by axel Rangel


key takeaways

  • Smart contract hackers targeted merged DeFi projects Rari Capital and Fei Protocol to steal almost $80 million over the weekend
  • Rather than seek VC funding to plug the losses, the Tribe DAO, which manages their governance, may vote to make users whole

Crypto platform Fei Protocol hopes a $10 million bounty “with no questions asked” will spur hackers to return nearly $80 million of digital assets stolen over the weekend.

Fei, the stablecoin issuer which merged with crypto lending startup Rari Capital just five months ago, made the plea on Twitter hours after the exploit — in which hackers infiltrated the platform’s lending pools — was detected Saturday.

“We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage,” Fei Protocol tweeted. “To the exploiter, please accept a [$10 million] bounty and no questions asked if you return the remaining user funds.” 

Rari’s hacker leveraged a critical “reentrancy” bug buried deep within the protocol’s code. These bugs involve smart contracts calling each other to move funds without appropriate checks. 

For its codebase, Fei forked (read: copied) Ethereum money market platform Compound in early 2021. Compound enables crypto lending by valuing digital assets. It automatically determines borrowing limits and gauges market conditions to calculate interest rates.

Fei made certain changes to the code, however, and despite audits the flaw wasn’t discovered until it was too late.

Compound forks have suffered similar fates in the past. Rari even paid $2 million to security researchers who had discovered a nearly identical flaw in March.

Decentralized exchange Uniswap, DeFi platform Cream Finance, and The Dao, among other projects, have fallen victim to reentrancy attacks dating back to 2016. 

Rari also lost $11 million to smart contract hackers in an unrelated attack last May, then about 60% of the protocol’s capital.

In this case, Rari Fuse lending pools (which facilitate the lending of related ERC-20 tokens) effectively failed to keep track of how much cryptocurrency had been borrowed.

The setup illegitimately allowed for the borrowing of large amounts of cryptocurrency, withdrawal of the loan’s collateral and retention of borrowed funds, according to smart contract auditor CertiK.

The hackers flash-loaned $150 million worth of stablecoin USDC and 50,000 WETH ($141.5 million) to power more crypto loans from seven Rari Fuse pools.

After triggering a buggy “exitMarket” smart contract function, they withdrew the collateral, repaid the flash loan and kept the “borrowed” funds from Rari Fuse. The hackers repeated this process until they’d amassed roughly $80 million of crypto.

Rari Capital later disclosed another 100 ETH had been hacked Sunday from a Fuse pool on layer-2 Ethereum platform Arbitrum.

BlockSec Chief Technology Officer Lei Wu confirmed to Blockworks that 5,400 ETH of the pilfered stash had been sent to crypto mixer Tornado Cash.

The stolen funds essentially belong to Rari Fuse users who had loaned their crypto. With this in mind, Fei Protocol is not exactly the victim — despite the exploit targeting its source code. 

Rari developer Jack Longarzo told Blockworks that Rari’s Fuse platform and the Tribe DAO that manages Fei and Rari’s governance are the real victims. In fact, Tribe DAO may deliberate whether to release funds from its treasuries to make Rari Fuse users whole. Its treasury is currently worth $104 million, according to OpenOrgs.

While there’s no formal bailout proposal as yet (and Longarzo wouldn’t comment on whether one was in the works), such a move would starkly contrast the VC-funded bailouts of other embattled DeFi platforms such as Wormhole and Ronin, which have generally involved more centralized and private decision-making than a community vote.

But there is some indication that Tribe DAO participants may be losing faith. The DAO’s native token, TRIBE, is down 20% since the attack was first disclosed.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.


Upcoming Events

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research



Data publishing costs have historically been a bottleneck for rollups, and as more rollups launch, interoperability will continue to be a major challenge. Avail presents a potential solution to rollup fragmentation through its three products: Avail DA, Nexus, and Fusion, which together aim to unify the web3 experience.


The Bitcoin halving is a spectacle that only comes round once every four years


The SEC alleges that Justin Sun spent nearly 400 days in the US from 2017 to 2019


Short-term “sell the news” reactions could follow new BTC price peaks months from now, industry watchers say — but only if history repeats itself


While crypto fundraising remains well off its bull market highs, Q1 data shows capital is returning to the space


Billed as a better BRC-20 fungible token standard, Bitcoin Runes launches tomorrow


Bitcoin miners need to explore unconventional energy avenues or be buried by the financial realities created by this halving