Difference between revisions of "Rari Capital (RFT)"
Line 14: | Line 14: | ||
*Scored [https://www.defisafety.com/app/pqrs/449 30%] on [[DeFi Safety]] (2-6-2022), it went down substantially due to multiple hacks: | *Scored [https://www.defisafety.com/app/pqrs/449 30%] on [[DeFi Safety]] (2-6-2022), it went down substantially due to multiple hacks: | ||
''"As per the SLOC, there is 65% testing to code (TtC). There is no documented test report by Rari's developers. In addition, there is no code coverage report. Rari has not undergone formal verification. Rari does not document whether or not they use testnets. However, other sources [https://cryptominded.com/rari-fuze-hacker-offered-10m-bounty-by-fei-protocol-to-return-80m-loot/ identify] that they use internal testnets. All of Rari's products have been audited multiple times. Some were [https://github.com/Rari-Capital/vaults/tree/main/audits/Fixed-Point-Solutions pre-deployment] and some were [https://certificate.quantstamp.com/full/fuse-contracts post-deployment]."'' | ''"As per the SLOC, there is 65% testing to code (TtC). There is no documented test report by Rari's developers. In addition, there is no code coverage report. Rari has not undergone formal verification. Rari does not document whether or not they use testnets. However, other sources [https://cryptominded.com/rari-fuze-hacker-offered-10m-bounty-by-fei-protocol-to-return-80m-loot/ identify] that they use internal testnets. All of Rari's products have been audited multiple times. Some were [https://github.com/Rari-Capital/vaults/tree/main/audits/Fixed-Point-Solutions pre-deployment] and some were [https://certificate.quantstamp.com/full/fuse-contracts post-deployment]."'' | ||
With the [https://t.me/c/1453353094/9404 comment]: | |||
''"Despite some good (yet relatively disorganized) documentation, clear contract information, and a big bug bounty offering, an unfortunate [[Reentrancy Attack|re-entrancy attack]] still occurred. However, Rari should be congratulated for its nimble auditing record. While only their vaults are documented in their repo, all Rari products have been audited at some point. In addition, there's great software function documentation covering all contracts.'' | |||
''Despite this, there is no clear information relating to how their admins are controlled, owned, or what capabilities for change they possess. It is also unclear what timelock process is in place and there is no information relating to pausability in case of emergency either. In addition, how their [[oracles]] function and flashloan, as well as frontrunning countermeasures, aren't clearly considered. Generally speaking, their repository could benefit from some restructuring to make navigation and subsequently improvements a little easier."'' | |||
*Previously [https://defisafety.com/2021/03/20/rari-capitol/ scored] a 74% (20-3-2021); ''"Rari capital was released in October 20th. [[Quantstamp]] did an [https://www.notion.so/Rari-Capital-Audit-Quantstamp-December-2020-24a1d1df94894d6881ee190686f47bc7 audit] in December 2020." ''With the [https://t.me/c/1453353094/2691 comment]: ''"Good docs but weak tests and an audit done after deployment weakened the score."'' | *Previously [https://defisafety.com/2021/03/20/rari-capitol/ scored] a 74% (20-3-2021); ''"Rari capital was released in October 20th. [[Quantstamp]] did an [https://www.notion.so/Rari-Capital-Audit-Quantstamp-December-2020-24a1d1df94894d6881ee190686f47bc7 audit] in December 2020." ''With the [https://t.me/c/1453353094/2691 comment]: ''"Good docs but weak tests and an audit done after deployment weakened the score."'' | ||
*Quantstamp audited the later hacked code ([https://twitter.com/Darrenlautf/status/1417493473385660433/photo/1 20-7-2021]). | *Quantstamp audited the later hacked code ([https://twitter.com/Darrenlautf/status/1417493473385660433/photo/1 20-7-2021]). |
Revision as of 02:27, 6 June 2022
Rari Capital is a yield harvesting tool that automatically rebalances your funds between different protocols to earn the best return.
Basics
History
- The young team created a wallet called Ambo and sold it to MyCrypto and worked there for one and a half year before working on this project (8-3-2021).
Audits & Exploits
- Rari's is covered by the Tribe's $2.2m bug bounty (2-6-2022).
- Scored 30% on DeFi Safety (2-6-2022), it went down substantially due to multiple hacks:
"As per the SLOC, there is 65% testing to code (TtC). There is no documented test report by Rari's developers. In addition, there is no code coverage report. Rari has not undergone formal verification. Rari does not document whether or not they use testnets. However, other sources identify that they use internal testnets. All of Rari's products have been audited multiple times. Some were pre-deployment and some were post-deployment."
With the comment:
"Despite some good (yet relatively disorganized) documentation, clear contract information, and a big bug bounty offering, an unfortunate re-entrancy attack still occurred. However, Rari should be congratulated for its nimble auditing record. While only their vaults are documented in their repo, all Rari products have been audited at some point. In addition, there's great software function documentation covering all contracts.
Despite this, there is no clear information relating to how their admins are controlled, owned, or what capabilities for change they possess. It is also unclear what timelock process is in place and there is no information relating to pausability in case of emergency either. In addition, how their oracles function and flashloan, as well as frontrunning countermeasures, aren't clearly considered. Generally speaking, their repository could benefit from some restructuring to make navigation and subsequently improvements a little easier."
- Previously scored a 74% (20-3-2021); "Rari capital was released in October 20th. Quantstamp did an audit in December 2020." With the comment: "Good docs but weak tests and an audit done after deployment weakened the score."
- Quantstamp audited the later hacked code (20-7-2021).
- From The Defiant (16-7-2020): Rari is in progress with an audit and hence unaudited.
Bugs/Exploits
- From Blockthreat (3-5-2022):
"On April 30, 2022 Fei Protocol’s Rari pools on Ethereum and Arbitrum networks lost $80M as a result of a reentrancy exploit. Rari Capital patched a price oracle manipulation vulnerability in one of its pools after it was responsibly disclosed by Hacxyk."
- From Week in Ethereum (2-4-2022):
"Rari Capital: Fuse pool vulnerability disclosed, cross-asset reentrancy allowed assets to be borrowed for free, pools fixed via upgrade"
- From Week in Ethereum (5-2-2022):
"Index Coop Rari pool attempted attack, Uniswap V3 TWAP oracle manipulation prevented by arb bot, attacker lost 68 ETH."
- From Blockthreat (14-11-2021):
"On November 2, 2021, Rari Fuse protocol was exploited with a price manipulation exploit which resulted in the loss of $3M."
- From Week in Ethereum (6-11-2021):
"Fuse community pool drained after VUSD price manipulated on Uniswap v3, TWAPs can be subject to manipulation."
- From Crypto Briefing (10-5-2021):
"All of the protocol contributors decided to forego their token allocation in RGT to reimburse anyone affected by the hack. The 2,000,000 RGT (currently worth over $20 million) have been sent to the DAO in charge of both reimbursing lost funds and rewarding those who helped Rari fight the attack."
"The youthful yield aggregator has fallen victim to a serial attacker, as the same wallet which attacked Value DeFi only hours before, turned their eyes onto the Rari Capital ETH pool, removing $10 million worth of ETH. The attacker decided to voice their opinion on the involved protocols, but it seems they had second thoughts, as they tried to cancel the transaction. However, they set the gas too low and the cancellation didn’t go through for 20 minutes, giving everyone time to see their message."
Governance
Admin Keys
- From DeFi Safety (2-6-2022):
"No admin control information is detailed in Rari's documentation. The relevant contracts are not identified as immutable / upgradeable. Ownership is not clearly indicated in Rari's documentation. There is a brief mention of a Rari governance token, but there is no explanation as to what it does. Smart contract change capabilities are not identified in any of Rari's contracts. This protocol's pause control is not documented. Rari has no timelock documentation."
DAO
Treasury
Token
Launch
Token allocation
- From their blog (7-10-2020):
"We will be distributing 87.50% of the token to depositors within a short 60 day period. The remaining tokens will be reserved for the team and subject to The Rari Vesting Plan."
Utility
- From The Defiant (16-7-2020):
"It takes COMP mined from lending Rari funds on Compound and liquidates COMP every 3 days to increase interest payments to RFT token holders, which is just the IOU token you receive in your wallet when you deposit stablecoins into Rari."
- From their blog (7-10-2020):
"The $RGT will have a few different roles:
- Maintaining Governance: decisions to integrate new protocols, edit pool parameters, edit risk parameters, etc
- Passthrough Governance: if a pool accumulates other tokens like $COMP, $BAL, the token can serve as a passthrough for their governance
- Fee Discounts: the token can be used for fee discounts from the Rari Protocol
$RGT will be burned on every cent made by the protocol (70% of all revenues to be exact), decreasing the total supply of the token as the protocol succeeds."
Token Details
Stablecoin
Coin Distribution
Tech
- Whitepaper or docs can be found here.
- Code can be viewed here. From DeFi Safety (2-6-2022):
"Their FUSE repository has some 330 contracts, making this tribe's history a well documented cave painting."
"Rari Capital will migrate its liquidity to its own fund on the Melon (soon to be rebranded!) Protocol in the coming weeks following the release of Melon v2."
How it works
- From the announcement (14-7-2020):
"We automatically rebalance the funds to earn yield by:
- Lending between lending protocols (ie Compound Finance, dYdX)
- Swapping between stablecoins for arbitrage and yield optimization
- Farming yield from protocol-based rewards (ie $COMP)"
Fee Mechanisms
Upgrades
Staking
Different Implementations
Interoperability
Other Details
- Has integrated mStable mUSD (25-9-2020)
Oracle Method
- From DeFi Safety (2-6-2022):
"The protocol's oracle source is documented at this location. The contracts dependent are not identified. There is no relevant software function documentation. This protocol documents no front running mitigation techniques. Rari documents no flashloan countermeasures."
Compliance
Their Other Projects
Fuse Protocol
- Not to be confused with the Fuse Network.
- Centered around isolated interest rate markets. Went live (18-3-2021).
Roadmap
- Can be found [Insert link here].
Usage
Projects that use or built on it
Competition
Pros and Cons
Pros
Cons
Team, Funding, Partners
Team
- Full team can be found [here].
- From the announcement (14-7-2020):
"Our team comes from a variety of backgrounds all with an emphasis on security: MyCrypto, the most secure Ethereum wallet, Boeing, Scoot, Bain and many others."
"Founded by Jai Bhavnani, 18, Jack Lipstone, 19, and David Lucid, also 19."
Funding
Partners
- Partners with Olympus (6-2021).
- Might merge with Fei (17-11-2021). Votes got passed, FeiRari is a fact (22-12-2021).
(:
Knowledge empowers all and will help us get closer to the decentralized world we all want to live in!
Making these free wiki pages is fun but takes a lot of effort and time.
If you have enjoyed reading, tips are appreciated :) This will help us to keep expanding this archive of information.
ETH tip address: 0x83460bE5F218b1520B69D702cE60A1DE37dD8E31
Also check out CoinTr.ee for more content.