February 1, 2023

Ola Finance – a DeFi protocol specializing in providing lending products has become a victim of the attack and stolen many assets with a total value of up to 4.6 million USD.

Source: CoinTelegraph

On April 1, decentralized lending protocol Ola Finance revealed that it suffered an exploit that allowed hackers to grab 216,964 USDC, 504,216 BUSD, 200,000 fUSD, 550.45 WETH, 26.25 WBTC and 1.24 million FUSE. At the time, the total value of the stolen properties amounted to $4.6 million. It is known that previously, blockchain security company PeckShield published information about the attack with an estimated damage value of $3.6 million.

Source: Twitter

According to the founding team of Ola Finance, hackers have fully exploited a flaw in the security standard of the ERC677 token. This is considered a bug in the smart contract that allows hackers to make repeated calls to the lending protocol to steal assets.

A representative of the security company PeckShield explained:

“The attack was possible due to a process incompatibility between the Compound fork and ERC677 or ERC777 tokens. It is this conflict that allows hackers to steal loan assets without needing to be repaid.”

In particular, the attack is carried out as follows:

Initially, the hackers made a loan transaction on the platform with their own fake collateral. Then, they make withdrawals through Tornado Cash – an anonymous protocol that allows users to make money transfers without saving transaction history information. Once the withdrawal is complete, the hacker transfers the funds from Tornado Cash to the Fuse network. They continue to collateralize with fake assets and in turn take the loans out of Ola Finance’s protocol. Thanks to the discovery of a re-entrancy wormhole in the smart contract, hackers can quickly remove the collateral without repaying the previous loan. This process repeated until they stole various types of crypto assets with an estimated total value of about $4.6 million.

To reassure users, the Ola Finance representative said that they will quickly discuss to come up with a reasonable compensation plan for users. However, at the moment, the details related to this plan have not been disclosed. It is known that Ola Finance will soon contact the attacker and offer a ransom to ask the hackers to return the money they have stolen.

As can be seen, the DeFi market in recent times is showing certain uncertainties when there are many high-value attacks. Most recently, hackers hacked Axie Infinity’s Ronin sidechain and stole more than $625 million. Therefore, the attack on the Ola Finance lending protocol is a wake-up call for developers of DeFi projects and platforms as well as investors in the cryptocurrency market in general.