Ola Finance Hacked for $4 Million: Details
Ola Finance, a platform for creating customized DeFi modules, has had its Fuse-based mechanism of Voltage Finance protocol exploited. PeckShield cybersecurity provider has already unveiled how the attackers managed to drain liquidity.
Two protocols, two blockchains, six assets: another sophisticated hack in DeFi
PeckShield, a flagship blockchain security and data analytics vendor, announced today, on March 31, 2022, that Ola.Finance's lending mechanism has been hacked.
1/ The @ola_finance is exploited in a flurry of txs, leading to the gain of ~$3.6M for the hacker (the protocol loss is larger). Here is an example hack tx: https://t.co/9JfnBr9pfL
— PeckShield Inc. (@peckshield) March 31, 2022
Voltage Finance, a first DeFi hub on EVM-compatible blockchain Fuse Network (FUSE), confirmed that its Ola Finance system was drained for $4,000,000:
We became aware of a breach on the @voltfinance lending platform around 3 hours ago leading to the theft of $4M in $USDC, $FUSD, $BUSD, $WBTC, $WETH & $FUSE.
Bitcoin (BTC) Approaches $98,000 as Altcoins Lag BehindXRP 4 Days of Sleep: What's Next? Dogecoin (DOGE) Hints at Double Top Pattern Formation, Pepe (PEPE) Loses 21% in 6 Days, But There's Still ChanceBinance's CZ Warns About MacBook VulnerabilitiesMicroStrategy Raises Recent Convertible Notes Offer to $2.6 Billion to Buy More Bitcoin
As per PeckShield's analysis, the hack became possible due to the lack of compatibility between Compound (COMP) forks—Ola Finance enables DeFi businesses to build Compound-like systems—and Ethereum-based tokens of a particular standard.
ERC677/ERC777 tokens have built-in callback functions that allowed attackers to misuse Ola's mechanism to drain accessed liquidity pools.
Attacks on crypto protocols are on fire in 2022
To perform an attack, hackers transferred funds from Ethereum through the Tornado Cash mixing system. Lately, the funds were returned to Ethereum addresses that are already flagged by mainstream explorers.
Voltage Finance asked USD Coin (USDC) operator Circle Inc. and CEX teams to blacklist involved addresses on Ethereum (ETH) blockchain.
As covered by U.Today previously, DeFi hacks smashed all previous highs in terms of volume of stolen assets. Two days ago, Axie Infinity's sidechain, Ronin (RON), was drained for $625 million.
The Ronin (RON) hack appears to be the largest hack ever in decentralized finance (DeFi) history.
Update: The U.Today team was contacted by Mr. Elvis Živković of Voltage Finance. According to his statement, the protocol itself was not hacked:
The Voltage Finance DeFi protocol wasn't exploited. Ola Finance was exploited. We are partners of Ola and use their platform in a lending-as-a-service way. Ola Finance is a separate team, it doesn't belong to Fuse.io nor Voltage Finance.