In brief

  • An attacker stole 2600 ETH, or nearly $11 million, from a DeFi project called Rari Capital over the weekend.
  • Rari Capital says it plans to reimburse users who lost money.

On Saturday, a company called Rari Capital announced that $11 million in Ethereum was stolen from its platform. According to a note, the amount represented “60% of all users’ funds” in the company's Ethereum pool.

Now, Rari plans to set aside 2 million RGT (the project’s governance token) to compensate the users who lost money in the hack.

Rari Capital is a crypto fund under the heading of DeFi, or decentralized finance. It’s a non-custodial fund—meaning it runs on code that handles your money for you, as opposed to a banker or investment manager. The idea is that if you entrust Rari with your crypto, these algorithms will juice your gains (the company describes itself as a “robo-advisor for maximizing yield”).

For Rari, the RGT token works a little like a voting share in a traditional company. It’s also spawned a secondary market: in the wake of Saturday’s hack, the price of RGT dipped around 50%.

At today’s prices (one RGT is back up to $12.42, though it’s been fluctuating wildly), the planned 2 million RGT donation comes in at $24 million—more than enough to cover the $11 million stolen from Rari’s users.

In a note, Rari CEO Jai Bhavnani said that Rari team members would be sacrificing their RGT allocations and putting them toward the reimbursement. The tokens, for now, will be sent back to the project's treasury, which is managed by a decentralized autonomous organization (DAO). Rari users and token holders will then vote on whether to approve the reimbursement and, if so, how it will be distributed.

DeFi protocols are famously risky investments. DeFi “rug pulls,” a type of exit scam, were the most common type of crypto fraud scheme in 2020, according to data from the blockchain analytics firm Chainalysis.

Devotees of DeFi like that it takes banks out of the picture, but one of the nice things about banks is that they tend to keep your money safe; when a DeFi protocol’s code gets exploited, it’s on majority token-holders to decide whether to reimburse the victims.

In this case, the hackers were able to extract ETH from Rari by manipulating the code around an affiliated DeFi protocol, Alpha Finance. Rari claims the code was previously audited by a blockchain security company called Quantstamp, but says "they were not aware" of the exploit.

Says Bhavnani: “Countless protocols get hacked each year and it is a matter of how the community and the protocol that determines the future of the project.”

Editor's note: This article was updated after publication to clarify that Rari Capital's RGT token holders have not yet voted on the planned reimbursement and to specify that only funds from the company's Ethereum pool were drained.