Rari Capital's Fuse lending pools lost $80M in a reentrancy attack exploiting a callback vulnerability in compound-fork code.
The attacker exploited a reentrancy vulnerability in Rari Capital's Fuse platform — a permissionless lending protocol forked from Compound. By using ETH's fallback function to reenter the borrow function before state was updated, the attacker was able to borrow assets multiple times against the same collateral across multiple Fuse pools. Fei Protocol, which had significant deposits in Fuse, suffered the majority of losses.
Stolen ETH immediately moved through Tornado Cash in large batches. Rari Capital and Fei Protocol both published post-mortems. The Tribe DAO (governing both protocols) voted to compensate affected users using protocol reserves. The hack ultimately led to Fei Protocol winding down operations and Rari Capital shutting its Fuse product. No funds recovered.
0xab486012a6f1728b873fd9b4b8cb270cf7cb5ec3c5d8caf5ced0b5b28c88acfd