Dawn breaks Saturday morning in the Americas with a crushing DeFi exploit. Stablecoin provider and Tribe DAO member Fei Protocol was hacked in a series of transactions around 6:30 EST, for a loss of over 26,873 ETH, just over $76 million USD. The protocol is currently offering a $10 million USD whitehat bounty for return of the stolen funds, and 4,200 ETH ($11.9 million USD) has already been moved through Tornado Cash. The attack occurred over a set of Rari Capital Fuse pools, and the extent of any risk to other Fuse pools is unclear at this. (What is Fuse?)
The Fei/Fuse attacker first deployed two attack contracts (contract 1, contract 2), then unleashed a flurry of transactions over the course of an hour.
The exact details of the attack are not yet known, but the results were to drain several Fuse pools entirely. After the exploit, the attacker traded all their ill-gotten gains for ETH, and is currently funneling it into Tornado Cash. You can see the Fuse value borrowed explode as the attacker drains the pools.
The exploited pools seem to be limited to:
Interestingly, Pool 146 is an ETH/stakedETH pool, with no FEI assets in it. It will be interesting to see how this pool was exploited.
As investigators start to dig into the hack, it looks like there is a reentrancy bug involved which allowed the hacker to bypass checks and balances, and withdraw more than their allotted funds.
This article will be updated as more information about the hack is released. My sympathy to the victims of the Fei Protocol hack, and I hope the attacker takes the whitehat bounty. Given that 4,200 ETH has already flown out to Tornado Cash, I don’t have much hope for that outcome.
