According to a post-mortem report issued Friday, the funds were lost in a “re-entry” attack.
According to a post-mortem study issued by developers, the decentralised lending protocol Ola Finance was exploited for approximately $4.67 million in a “re-entry” attack on Thursday.
Ola implements a decentralised finance (DeFi) system spanning multiple blockchains, and Thursday’s attack was directed at its Fuse network deployment. DeFi is a term that refers to the use of smart contracts rather than third intermediaries to facilitate financial transactions such as lending and borrowing.
All projects accept responsibility and ask our communities to focus on the next steps of growth, rather than assigning blame.
— Ola.finance (@ola_finance) March 31, 2022
Ola’s Fuse network services were used to generate 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped ether, 26.25 wrapped bitcoin, and 1,240,000.00 FUSE. This is worth more than $4.67 million at the current exchange rate.
The hack used a weakness in the ERC677 token standard that allows for re-entry. Reentrancy is a frequent problem that allows attackers to deceive a smart contract into stealing assets by repeatedly calling a protocol. A call authorises the smart contract address to communicate with the wallet address of the user.
The attacker funded the initial robbery transaction using a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance. The attacker avoided a flash loan in subsequent transactions by utilising monies that had already been stolen, the post-mortem study confirmed. Voltage is a decentralised trading technology that enables automated DeFi token trading on the Fuse blockchain.
Attackers were able to fool Voltage’s smart contracts by transferring wrapped assets – generated through flash loans, a type of unsecured lending – and instructing the smart contract to move payments from Voltage to the hacker’s addresses.
Ola Finance stated that the attack could not be repeated on the company’s other loan networks. “We will conduct an investigation into each token’s “transfer” logic to ensure that no problematic token standards are being used,” the developers explained.
Meanwhile, Voltage stated that it was in contact with third parties in order to track down the attacker and devise a strategy for compensating affected users.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.