Ola Finance Says Attackers Stole $4.7M in 'Re-Entrancy' Exploit
Don't miss CoinDesk's Consensus 2022, the must-attend crypto & blockchain festival experience of the year in Austin, TX this June 9-12.
Decentralized lending platform Ola Finance was exploited for over $4.67 million in a “re-entrancy” attack on Thursday, according to a post-mortem report released by the developers.
Ola operates a decentralized finance (DeFi) platform across several blockchains, and Thursday’s attack targeted its deployment on the Fuse network. DeFi refers to the use of smart contracts instead of third parties for financial services such as lending and borrowing.
1/2 Standing together, @ola_finance and @voltfinance remain united in our efforts to compensate users suffering from the latest exploit.
All projects accept responsibility and ask our communities to focus on the next steps of growth, rather than assigning blame.— Ola.finance (@ola_finance) March 31, 2022
Ola's services on the Fuse network were exploited for 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped ether, 26.25 wrapped bitcoin and 1,240,000.00 FUSE. All of that is worth over $4.67 million at current prices.
The attack occurred via a re-entrancy vulnerability in the ERC677 token standard. Reentrancy is a common bug that allows attackers to trick a smart contract by making repeated calls to a protocol in order to steal assets. A call is an authorization for the smart contract address to interact with a user’s wallet address.
In the first heist transaction, the attacker took a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance to fund the attack. In later transactions, the attacker avoided a flash loan by using the funds that had already been stolen, the post-mortem report confirmed. Voltage is a decentralized trading protocol that allows for the automated trading of DeFi tokens on the Fuse network.
Attackers were able to trick Voltage’s smart contracts by transferring wrapped assets – generating using flash loans, a form of uncollateralized lending – and calling the smart contract into transferring funds from Voltage to the hacker’s addresses.
Ola Finance said the attack couldn't be replicated on other lending networks that it supports. “We will investigate each token’s 'transfer' logic to make sure no problematic token standards are in use,” the developers said.
Meanwhile, Voltage said it was speaking with external parties to trace the attacker and create a plan to compensate affected users.
