Ola Finance Loses $4.6M in Latest DeFi Exploit

Another decentralized finance (DeFi) protocol has been exploited in the same week that the industry reported its largest ever hack.

Decentralized lending protocol Ola Finance has been exploited for around $4.6 million in what has been described as a reentrancy attack.

It was no April Fool joke for users of the DeFi platform which published a post mortem of the attack on April 1. The team stated that the Ola lending network on the Fuse blockchain was exploited on March 31.

A total of 216,964 USDC, 507,216 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, and 1.24 million FUSE tokens were stolen. The total value at prices at the time was around $4.67 million, it added.

Security firm PeckShield reported a lower sum of $3.6 million for the hacker adding that the protocol loss was larger.

1/2 Standing together, @ola_finance and @voltfinance remain united in our efforts to compensate users suffering from the latest exploit.

All projects accept responsibility and ask our communities to focus on the next steps of growth, rather than assigning blame.

— Ola.finance (@ola_finance) March 31, 2022

Reentrancy Exploit

According to the team, the attack exploited a reentrancy vulnerability in the ERC677 token standard. This is a smart contract bug that allows a malicious actor to make repeated calls to the protocol in order to pilfer assets. PeckShield explained:  

“The hack is made possible due to the incompatibility between Compound fork and ERC677/ERC777-based tokens, which have the built-in callback functions misused to allow for reentrancy to drain the lending pool.”

The attacker borrowed funds using their own collateral at first. Then they took advantage of the reentrancy vulnerability in Ola’s smart contracts to remove the collateral without repaying the loan.

The initial attack involved a 515 wrapped ETH flash loan from the WETH/WBTC pair on Voltage Finance to fund the heist.

The process was repeated and the hacker eventually made off with $3.6 million in crypto which was washed through the Tornado Cash transaction anonymizing service.

The team stated that it will work on a compensation plan but did not go into details.

“In the coming days, we will release a formalized compensation plan detailing the distribution of funds to affected users.”

It also stated that it would reach out to the attacker and offer a bounty for the return of the funds.

The Voltage Finance FUSE token has tanked 21% in the hours following the exploit and is currently trading at $0.448.

A rough week for DeFi

The hack comes in the same week that Axie Infinity’s Ronin bridge was exploited for a whopping $615 million making it the industry’s worst attack.

Sky Mavis, the firm behind the popular Metaverse game, has stated that it is “fully committed” to reimbursing the victims of the attack.

Last month, DeFi lending protocol Hundred Finance lost around $6.5 million in a similar reentrancy attack.