Decentralized lending protocol Ola Finance has been mined for over $4.67 million, but how exactly did it happen?
Ola Finance victim of a reentry exploit
According to the developers’ post-mortem report, the project was subjected to a “reentrancy” attack, specifically a reentrancy vulnerability in the ERC677 token standard. Reentrancy is a common vulnerability that allows attackers to trick a smart contract into stealing assets by making multiple protocol calls. A call allows the smart contract address to interact with a user’s wallet address.
In the first transaction, the attacker borrowed 515 WETH from the Voltage Finance WETH-WBTC pair to fund the attack. , The post-mortem report confirms that the attackers were able to trick Voltage’s smart contracts by transferring assets wrapped using flash loans, a type of unsecured loan, and instructing Voltage to transfer the funds to the addresses of the hackers.
All projects accept responsibility and ask our communities to focus on the next steps for growth, rather than blame.
— Ola.finance (@ola_finance) March 31, 2022
What will be arrive now?
In total, the attacker stole 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped Ether, 26.25 wrapped Bitcoin and 1,240,000.00 FUSE worth over $4.6 million at current prices. In the coming days, Ola Finance and Voltage said they would speak to external parties to track down the attacker and set up a compensation plan to distribute the funds to affected users.
Since Ola Finance is a multi-chain protocol that provides loans as a service for multiple projects on various blockchains, users feared that the attack could take place in multiple locations. Ola Finance said it will verify whether the attack can be replicated on other lending networks it supports and will publish an article outlining the next steps for the protocol.