Hacked Crypto Platform Offers ‘No Questions Asked’ $10M Bounty for Stolen Funds

The exploit is one of a growing number of hacking incidents on DeFi projects in recent months

article-image

Blockworks exclusive art by axel Rangel

share

key takeaways

  • Smart contract hackers targeted merged DeFi projects Rari Capital and Fei Protocol to steal almost $80 million over the weekend
  • Rather than seek VC funding to plug the losses, the Tribe DAO, which manages their governance, may vote to make users whole

Crypto platform Fei Protocol hopes a $10 million bounty “with no questions asked” will spur hackers to return nearly $80 million of digital assets stolen over the weekend.

Fei, the stablecoin issuer which merged with crypto lending startup Rari Capital just five months ago, made the plea on Twitter hours after the exploit — in which hackers infiltrated the platform’s lending pools — was detected Saturday.

“We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage,” Fei Protocol tweeted. “To the exploiter, please accept a [$10 million] bounty and no questions asked if you return the remaining user funds.” 

Rari’s hacker leveraged a critical “reentrancy” bug buried deep within the protocol’s code. These bugs involve smart contracts calling each other to move funds without appropriate checks. 

For its codebase, Fei forked (read: copied) Ethereum money market platform Compound in early 2021. Compound enables crypto lending by valuing digital assets. It automatically determines borrowing limits and gauges market conditions to calculate interest rates.

Fei made certain changes to the code, however, and despite audits the flaw wasn’t discovered until it was too late.

Compound forks have suffered similar fates in the past. Rari even paid $2 million to security researchers who had discovered a nearly identical flaw in March.

Decentralized exchange Uniswap, DeFi platform Cream Finance, and The Dao, among other projects, have fallen victim to reentrancy attacks dating back to 2016. 

Rari also lost $11 million to smart contract hackers in an unrelated attack last May, then about 60% of the protocol’s capital.

In this case, Rari Fuse lending pools (which facilitate the lending of related ERC-20 tokens) effectively failed to keep track of how much cryptocurrency had been borrowed.

The setup illegitimately allowed for the borrowing of large amounts of cryptocurrency, withdrawal of the loan’s collateral and retention of borrowed funds, according to smart contract auditor CertiK.

The hackers flash-loaned $150 million worth of stablecoin USDC and 50,000 WETH ($141.5 million) to power more crypto loans from seven Rari Fuse pools.

After triggering a buggy “exitMarket” smart contract function, they withdrew the collateral, repaid the flash loan and kept the “borrowed” funds from Rari Fuse. The hackers repeated this process until they’d amassed roughly $80 million of crypto.

Rari Capital later disclosed another 100 ETH had been hacked Sunday from a Fuse pool on layer-2 Ethereum platform Arbitrum.

BlockSec Chief Technology Officer Lei Wu confirmed to Blockworks that 5,400 ETH of the pilfered stash had been sent to crypto mixer Tornado Cash.

The stolen funds essentially belong to Rari Fuse users who had loaned their crypto. With this in mind, Fei Protocol is not exactly the victim — despite the exploit targeting its source code. 

Rari developer Jack Longarzo told Blockworks that Rari’s Fuse platform and the Tribe DAO that manages Fei and Rari’s governance are the real victims. In fact, Tribe DAO may deliberate whether to release funds from its treasuries to make Rari Fuse users whole. Its treasury is currently worth $104 million, according to OpenOrgs.

While there’s no formal bailout proposal as yet (and Longarzo wouldn’t comment on whether one was in the works), such a move would starkly contrast the VC-funded bailouts of other embattled DeFi platforms such as Wormhole and Ronin, which have generally involved more centralized and private decision-making than a community vote.

But there is some indication that Tribe DAO participants may be losing faith. The DAO’s native token, TRIBE, is down 20% since the attack was first disclosed.


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

recent research

Research Report Templates.png

Research

An overview of the Base Ecosystem, with a focus on market leaders.

article-image

Although bitcoin hitting $120k by year’s end is looking unlikely

article-image

About 270 million HYPE has been claimed, valued around $7.6 billion

article-image

Stanford professors David Mazières and Dan Boneh will lead the lab alongside a cohort of graduate student researchers

article-image

With more companies holding BTC, bitcoin yielding strategies could become “a new corporate finance norm,” CoinShares posed

article-image

The proposal comes after Polygon governance considered a controversial use of bridged liquidity for yield

article-image

Can the community balance its decentralized ethos with the need for inclusivity and constructive debate?