defirisk.co
rubric v1.7.0

Fei Protocol / Rari Capital (Fuse): Re-entrancy via `exitMarket()` in Compound fork missing check-effects-interaction pattern

Rari Capital's Fuse isolated lending pools lost $80M to a re-entrancy attack exploiting a gap in their Compound fork's `exitMarket()` function — a vulnerability class that had already drained CREAM, Hundred, and Rari's own Fuse pools months earlier.

Occurred 2022-04-30 Loss $80M Status closed

Summary #

Fei Protocol / Rari Capital (Fuse) suffered a Lending / Money Market (Compound fork — Fuse isolated pools) on 2022-04-30, resulting in a loss of approximately $80M.

What happened #

Rari Capital's Fuse isolated lending pools lost $80M to a re-entrancy attack exploiting a gap in their Compound fork's `exitMarket()` function — a vulnerability class that had already drained CREAM, Hundred, and Rari's own Fuse pools months earlier.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the specific `exitMarket()` gap was introduced after prior audits; the vulnerability had been partially patched but incompletely] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the specific `exitMarket()` gap was introduced after prior audits; the vulnerability had been partially patched but incompletely]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited version of patched code; vulnerability re-introduced in a developer commit to forked Compound code]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the March 2022 partial patch modified CToken and Comptroller but left `exitMarket()` uncovered] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the March 2022 partial patch modified CToken and Comptroller but left `exitMarket()` uncovered]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loans followed by immediate borrow-and-exit sequences visible on-chain]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound Finance fork (Fuse uses modified Compound codebase)]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound Finance fork (Fuse uses modified Compound codebase)]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the March 2022 partial patch modified CToken and Comptroller but left `exitMarket()` uncovered]