Ola Finance Says Attackers Stole $4.7M in 'Re-Entrancy' Exploit

A post-mortem released Friday details how the heist occurred on Voltage, powered by Ola Finance.

AccessTimeIconApr 1, 2022 at 7:44 a.m. UTC
Updated Apr 4, 2022 at 6:31 a.m. UTC

Shaurya is an analyst/editor for CoinDesk's markets team in Asia.

Lending network Voltage Finance, powered by Ola Finance, was exploited for over $4.67 million in a “re-entrancy” attack on Thursday, according to a post-mortem report released by the developers.

  • Ola can be used to build and deploy decentralized finance (DeFi) lending platforms across several blockchains, and Thursday’s attack targeted its deployment on the Fuse network. DeFi refers to the use of smart contracts instead of third parties for financial services such as lending and borrowing.
  • Ola allows projects to create and own their own lending networks in a permissionless manner, while Voltage is the user interface that provides access to Fuse.
  • The Fuse network was exploited for 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped ether, 26.25 wrapped bitcoin, and 1,240,000.00 FUSE. All of that is worth over $4.67 million at current prices.
  • The attack occurred via a re-entrancy vulnerability in the ERC677 token standard. Reentrancy is a common bug that allows attackers to trick a smart contract by making repeated calls to a protocol in order to steal assets. A call is an authorization for the smart contract address to interact with a user’s wallet address.
  • In the first heist transaction, the attacker took a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance to fund the attack. In later transactions, the attacker avoided a flash loan by using the funds that had already been stolen, the post-mortem report confirmed. Voltage is a decentralized trading protocol that allows for the automated trading of DeFi tokens on the Fuse network.
  • Attackers were able to trick Voltage’s smart contracts by transferring wrapped assets – generating using flash loans, a form of uncollateralized lending – and calling the smart contract into transferring funds from Voltage to the hacker’s addresses.
  • Ola Finance said the attack couldn't be replicated on other lending networks that it supports. “We will investigate each token’s 'transfer' logic to make sure no problematic token standards are in use,” the developers said.
  • Meanwhile, Voltage said it was speaking with external parties to trace the attacker and create a plan to compensate affected users.

UPDATE (April 4, 06:30 UTC): Adds further details regarding Ola Finance and Voltage Finance in lead and second bullet.


Read more about

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Shaurya is an analyst/editor for CoinDesk's markets team in Asia.

CoinDesk - Unknown

Shaurya is an analyst/editor for CoinDesk's markets team in Asia.

Trending

1
CoinDesk - Unknown
Voyager Seeks Bankruptcy Protection Amid Crypto Credit Crisis

The Toronto-based lender filed for Chapter 11 bankruptcy in New York late Tuesday.

CoinDesk - Unknown
2
CoinDesk - Unknown
Binance Resumes Local Currency Deposits with Brazilian Payment System Pix

Withdrawals should be resumed “shortly,” said the company, which had suspended that feature on June 17.

CoinDesk - Unknown
3
CoinDesk - Unknown
Celsius Repays $183M on DeFi Exchange Maker, Gets Back Collateral, Blockchain Data Shows

The troubled crypto lender paid down $183 million of its debt to the decentralized exchange Maker, blockchain data shows, possibly in a bid to recover bitcoin-linked collateral that otherwise would remain trapped.

CoinDesk - Unknown
4
CoinDesk - Unknown
First Mover Asia: Crypto Game Consoles Aren’t Needed as Web3 Gaming Has Workers, Not Gamers; Bitcoin Dips, Then Regains Its Perch Above $20K

Studios are raising significant amounts of capital, but they must build games that do a better job of engaging users; ether and most other major cryptos rise.

CoinDesk - Unknown