Rari Capital: Fake token + protocol callback exploit (ibETH injection via Alpha Homora) → ETH pool drain

A serial attacker used BSC exploit proceeds from Value DeFi to fund a cross-chain attack on Rari Capital's ETH pool, injecting fake ibETH via Alpha Homora to drain $10M in a single afternoon.

Occurred 2021-05-08 Loss $10M Status closed

Summary #

Rari Capital suffered a Yield Aggregator / Lending Pool on 2021-05-08, resulting in a loss of approximately $10M.

What happened #

A serial attacker used BSC exploit proceeds from Value DeFi to fund a cross-chain attack on Rari Capital's ETH pool, injecting fake ibETH via Alpha Homora to drain $10M in a single afternoon.

Linked factors #

RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
RD-F-050 — causal : Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
RD-F-052 — related : Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]