Ola Finance on Fuse Network suffers $3.6 million hack

Ola finance is a platform for creating custom decentralized lending networks.

  • Ola Finance has lost $3.6 million to an attack on its lending product on Fuse Network.
  • An unknown hacker took advantage of a reentrancy vulnerability in the protocol’s smart contract.

Decentralized lending protocol Ola Finance was exploited for over $4.67 million in a “re-entrancy” attack on Thursday, according to a post-mortem report released by developers.

  • Ola operates a decentralized finance (DeFi) protocol across several blockchains, and Thursday’s attack targeted its deployment on the Fuse network . DeFi refers to the use of smart contracts instead of third parties for financial services such as lending and borrowing.

The incident involved a common issue known as a reentrancy bug, a smart contract vulnerability that enables hackers to make repeated calls to a protocol in order to steal assets. Just a few weeks ago, two DeFi protocols on Gnosis Chain — Hundred Finance and Agave — lost customer funds amounting to more than $11 million in flash loan attacks resulting from reentrancy bugs.

Security firm PeckShield told The Block that the Ola Finance hacker started by first borrowing funds using their own collateral. After that, taking advantage of the reentrancy vulnerability within Ola’s smart contracts, the hacker was able to remove the collateral without repaying the loan they took. The perpetrator then repeated the same process on other Ola Finance pools to make off with $3.6 million in total.

After draining the funds, the perpetrator transferred them from Fuse to other blockchains — BNB Chain and Ethereum — via Fuse’s own cross-chain bridge. Of the total loot, it is reported that the hacker holds $3 million on Ethereum and another $637,000 on BNB Chain

Ola Finance said the attack could not be replicated on other lending networks that it supports. “We will investigate each token’s “transfer” logic to make sure no problematic token standards are in use,” the developers said.

Meanwhile, Voltage said it was speaking with external parties to trace the attacker and create a plan to compensate affected users.

ref: https://twitter.com/peckshield/status/1509431646818234369

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.