# Rari Exploit Act (A Lot) ### Primary Attack Wallets 1. 0x6162759eDAd730152F0dF8115c698a42E666157F 2. 0x65760288f19cff476b80a36a61f9dedab16bab49 ### Primary Hack Transactions ##### Act One - Pools 146 and 8 : 0x6162 wallet attacker https://etherscan.io/tx/0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6 https://etherscan.io/tx/0x0f75349606610313cb666277eeda612e72be624cae061d017e503056bbf4d8e0 For Act One, hacker does **not** use Flashbots but from here on out, excepting the arbitrum copycat, Flashbots relay is used for the rest Twenty minutes pass between Act One and the next set of attacks. This is a long time for a staged and planned attack; it gave Rari a lot of time to respond (but nobody could be woken up to pause the contracts) ##### Act Two - Pools 144 and 27 : 0x6162 wallet attacker https://etherscan.io/tx/0x254735c6c14e4d338b1cc5bca43aab6b0f395ae06085013b1b2527180d270a31 https://etherscan.io/tx/0x0742b138a78ad9bd5d0b55221d514637313bc64c40272ca98c8d0417a519e2e4 Eleven minutes pass between these two rounds. Again, a relatively long time. ##### Act Three - Pools 127, 156, and 18 : 0x6162 wallet attacker https://etherscan.io/tx/0xab486012f21be741c9e674ffda227e30518e8a1e37a5f1d58d0b0d41f6e76530 https://etherscan.io/tx/0x9e4d4f4ebb45d1e03813d834494045c1b6ea2adbde1b89fbe24349846c223779 https://etherscan.io/tx/0xa185f63b82cbb199a435399cfd414b89ebab91485d5034cdf8861a5f958259a4 At this point, Rari finall paused borrowing on all mainnet pools ##### Act Four - ATetranode's Arbitrum Pool (Day later) https://arbiscan.io/tx/0x3212d091792f81f18a31aab753de6b3128d79dcb5e8392167249595f813203ef ###### One hour after Tetra's tweet:  ### Quirks 1. Attacker uses Cowswap to exit; this is highly atypical and may leak some info 2. Using flashbots for attacks is also not terribly common; why switch to it after the first round? ### Thoughts I think use of Flashbots may be a mistake for the hacker; either the logs of the Relay or the ingress nodes to AWS in the region (Ashburn?) I'm also unsure on use of Cowswap; IP addresses and browser fingerprint data may well be available Doing non-hack transactions such as the `claim` and `redeem` calls feels like something a "professional" attacker would be less like to do ### Rari Message to Attacker ```We noticed you may be considering the no-questions-asked $10m offer. If you wish to take us up on this, please deposit the remaining funds to the Tribe DAO Timelock: 0xd51dbA7a94e1adEa403553A8235C302cEbF41a3c``` ### Obvious Re-entrancy issue  #### Solutions (uncredited) a) change call to transfer b) move doTransferOut to the end c) create a wildly complex global reentrancy harness *they chose to do just c) and their implementation missed one function* Apparently, on 5/2/22 Twitter Space, auditors were blamed for the mistake. (I didn't listen so second /third hand) #### Here's where the missing guard was  ### Concerns over Fei backing?  Market didn't really respond; FEI peg didn't move ### Decompile Tool One Output ```{ "Contract": { "constructor": { "function": { "selector": "Constructor", "numberInputArguments": 0, "entryPoint": 0 } }, "functions": [ { "selector": "1c1b8772", "numberInputArguments": 1, "modifiers": [ "Payable" ], "entryPoint": 176 }, { "selector": "1e83409a", "numberInputArguments": 1, "modifiers": [ "Payable" ], "entryPoint": 215 }, { "selector": "2986c0e5", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 252 }, { "selector": "34930754", "numberInputArguments": 5, "modifiers": [ "Payable" ], "entryPoint": 300 }, { "selector": "349b4736", "numberInputArguments": 3, "modifiers": [ "Payable" ], "entryPoint": 337 }, { "selector": "741bef1a", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 428 }, { "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 486 }, { "selector": "1249c58b", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 493 }, { "selector": "2f4350c2", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 514 }, { "selector": "f04f2707", "numberInputArguments": 4, "modifiers": [ "Payable" ], "entryPoint": 528 }, { "selector": "5fe3b567", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 535 }, { "selector": "8da5cb5b", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 578 }, { "selector": "a9059cbb", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 599 }, { "selector": "ad5c4648", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 631 }, { "selector": "bd5b853b", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 652 }, { "selector": "be6002c2", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 684 }, { "selector": "c5ebeaec", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 729 }, { "selector": "cc14d688", "numberInputArguments": 0, "modifiers": [ "Payable" ], "entryPoint": 761 }, { "selector": "5c38449e", "numberInputArguments": 1, "entryPoint": 3322 } ], "fallback": [ { "selector": "Fallback", "numberInputArguments": 0, "modifiers": [ "Fallback", "Payable" ], "entryPoint": 163 } ], "metadata": { "SolcVersion": "v0.8.1", "Raw": { "ipfs": "EiAtUZbASIxc5pjXbio78EiKy/yD7UTDCTgJ2BDGQ48dUA==", "solc": "AAgB" } } }, "Metadata": { "unidentifiedFuncSel": [ "18ffa3fd", "4a584432", "a0712d68", "252c2219", "ede4edd0", "c2998238", "317afabb", "a6afed95", "1d8e90d1", "d0e30db0", "47bd3718", "5ec88c79", "31ff47fa", "70a08231", "7dc0d1d0", "6eb1769f", "fc57d4df", "3b1d21a2", "6f307dc3", "095ea7b3", "852a12e3", "07dc0d1d", "2e1a7d4d", "dd62ed3e", "2e1c224f", "19985a5b", "18533047", "4e487b71", "ffffffff" ], "hardcodedAddresses": [ "ba12222222228d8ba445958a75a0704d566bf2c8", "c02aaa39b223fe8d0a0e5c4f27ead9083c756cc2" ] } }```