Rari Capital, a decentralized finance (DeFi) project, plans to reimburse users who lost funds when almost $11 million in ethereum (around 60% of users’ funds) was drained from its liquidity pool.
- Rari Capital said the attacker exploited its yield-generating integration with Alpha Finance Labs’ ibETH token.
- Jai Bhavnani, Rari Capital CEO, explained in a blog post on May 9 that the exploit drained a total of 2,600 ETH (about $10.6 million at the time of writing).
- The attacker took advantage of a function in the ibETH token to artificially inflate its value, allowing more to be withdrawn than had been deposited, according to a May 9 post-mortem by David Lucid, Rari Capital's lead developer.
- In his update, Bhavnani said 2 million of the project's RGT governance token, intended to be used to scale the team, would now be offered to reimburse users that lost out to the exploit.
- "All of the protocol contributors have elected to give that 2M $RGT back to the DAO with the ask of using the newly acquired $RGT to reimburse lost funds and reward those that helped in the war room," he said.
- In future, Rari Capital will request the protocols it integrates with to review the integrations for security, according to Lucid.
- He also proposed that deposits and withdrawals are prevented in the same block, or have a timelock applied to prevent funds being drained at speed.
- From trading at more than $17 prior to the exploit, the Rari governance token fell almost 50% to $9.07 before rebounding. At press time it is sitting at $12.09.
- The 2 million RGT tokens are currently worth just over $2.4 million.