CoinClear

Rari Capital (RGT)

2.0/10

DeFi lending protocol exploited for $80M+ through Fuse pools, merged with Fei Protocol, then both wound down. A masterclass in how permissionless lending can go catastrophically wrong.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

Rari Capital launched in 2020 as a yield aggregation protocol run by a notably young team (several founders were teenagers). The protocol initially offered automated yield vaults that moved funds between DeFi protocols to optimize returns. Rari later launched Fuse — a permissionless lending pool creation platform that allowed anyone to create custom lending markets with configurable parameters (collateral factors, interest models, supported assets).

Fuse was Rari's most significant product and its most dangerous. The permissionless design meant anyone could create a lending pool with any token as collateral, set any risk parameters, and attract depositors. This was powerful but introduced systemic risk: poorly configured pools, illiquid collateral, and oracle manipulation vulnerabilities created an enormous attack surface.

The consequences were devastating. In April 2022, Rari Capital's Fuse pools were exploited for approximately $80 million through a reentrancy vulnerability. This was not the first exploit — Rari had suffered a $10M exploit in May 2021 through an integration vulnerability with Alpha Homora. The cumulative losses exceeded $90 million across multiple incidents.

Following the April 2022 exploit, Rari Capital merged with Fei Protocol (a stablecoin project) through a token swap where RGT holders received TRIBE tokens. The merged entity attempted to repay exploit victims but ultimately both Rari and Fei wound down operations, with the DAO voting to return remaining treasury assets to token holders.

Technology

Rari's technology was built on Compound's codebase (forked and modified). The Fuse pool system was genuinely innovative — it democratized lending pool creation and allowed DeFi protocols to create custom markets for their tokens. The technical architecture supported:

  • Permissionless pool creation: Anyone could deploy a Fuse pool with custom parameters
  • Configurable risk models: Custom collateral factors, interest rate curves, and liquidation incentives
  • Multi-asset pools: Support for long-tail assets that Compound and Aave wouldn't list
  • Yield aggregation: Automated strategies across DeFi protocols

The innovation was real, but the security implications of permissionless configuration were severely underestimated.

Security

Security was Rari Capital's catastrophic failure. The protocol suffered multiple exploits:

  • May 2021: ~$10M lost through an integration vulnerability with Alpha Homora (cross-protocol reentrancy)
  • April 2022: ~$80M lost from Fuse pools through a reentrancy attack on the borrowing function

The Fuse architecture was particularly vulnerable because permissionless pool creation meant the attack surface scaled with every new pool. Pools with illiquid collateral, aggressive collateral factors, or vulnerable oracle configurations were ticking time bombs. The team's youth and relative inexperience in smart contract security contributed to the failures.

Post-exploit analysis revealed that the April 2022 reentrancy vulnerability was a known class of bug that should have been caught by audits and testing. The failure was both a technical and process failure.

Decentralization

Rari Capital operated as a DAO with RGT governance token. The permissionless Fuse pool model was highly decentralized — anyone could create and configure pools without approval. However, this decentralization was part of the problem: no central authority reviewed or approved pool configurations, allowing dangerous parameters to proliferate.

Adoption

At its peak, Rari's Fuse platform had over $1.5 billion in TVL and was used by many DeFi protocols (Frax, OHM, and others) to create custom lending markets. Post-exploit, adoption collapsed to zero as the protocol wound down. The technology was adopted — but the security wasn't adequate for the adoption it achieved.

Tokenomics

RGT token was converted to TRIBE through the Fei merger. TRIBE itself has since been unwound, with remaining treasury distributed to holders. Both tokens are effectively defunct. The tokenomics story is one of destruction — holders of both RGT and TRIBE suffered massive losses.

Risk Factors

  • PROTOCOL IS DEAD. Both Rari Capital and Fei Protocol have wound down.
  • $90M+ in exploit losses: Multiple hacks devastated the protocol and its users
  • Permissionless risk: Fuse pools allowed dangerous configurations without oversight
  • Token is defunct: RGT merged into TRIBE, which has also wound down
  • No recovery: Protocol has been fully unwound with remaining treasury distributed
  • Regulatory exposure: Exploit losses could attract regulatory scrutiny

Conclusion

Rari Capital's story is a DeFi tragedy: innovative technology undermined by inadequate security. The Fuse permissionless lending concept was genuinely forward-thinking — it anticipated the demand for long-tail asset lending that projects like Morpho are now pursuing more carefully. But Rari moved too fast with too little security infrastructure. The 2.0 score acknowledges the technical innovation while reflecting the catastrophic security failures that cost users over $90 million and ultimately killed the protocol. Rari is required study for anyone building permissionless DeFi — the lesson is that permissionless doesn't mean unaudited, and fast shipping is worthless if the ship sinks.

Sources