Ola Finance Hacked for $4 Million: Details


article image

Vladislav Sopov

“Lending-as-a-Service” provider Ola Finance was drained today in an eccentric hack

Contents

Ola Finance, a platform for creating customized DeFi modules, has had its Fuse-based mechanism of Voltage Finance protocol exploited. PeckShield cybersecurity provider has already unveiled how the attackers managed to drain liquidity.

Two protocols, two blockchains, six assets: another sophisticated hack in DeFi

PeckShield, a flagship blockchain security and data analytics vendor, announced today, on March 31, 2022, that Ola.Finance’s lending mechanism has been hacked.

Voltage Finance, a first DeFi hub on EVM-compatible blockchain Fuse Network (FUSE), confirmed that its Ola Finance system was drained for $4,000,000:

We became aware of a breach on the @voltfinance lending platform around 3 hours ago leading to the theft of $4M in $USDC, $FUSD, $BUSD, $WBTC, $WETH & $FUSE.

As per PeckShield’s analysis, the hack became possible due to the lack of compatibility between Compound (COMP) forks—Ola Finance enables DeFi businesses to build Compound-like systems—and Ethereum-based tokens of a particular standard.

ERC677/ERC777 tokens have built-in callback functions that allowed attackers to misuse Ola’s mechanism to drain accessed liquidity pools.

Attacks on crypto protocols are on fire in 2022

To perform an attack, hackers transferred funds from Ethereum through the Tornado Cash mixing system. Lately, the funds were returned to Ethereum addresses that are already flagged by mainstream explorers.

Voltage Finance asked USD Coin (USDC) operator Circle Inc. and CEX teams to blacklist involved addresses on Ethereum (ETH) blockchain.

As covered by U.Today previously, DeFi hacks smashed all previous highs in terms of volume of stolen assets. Two days ago, Axie Infinity’s sidechain, Ronin (RON), was drained for $625 million.

The Ronin (RON) hack appears to be the largest hack ever in decentralized finance (DeFi) history.

Update: The U.Today team was contacted by Mr. Elvis Živković of Voltage Finance. According to his statement, the protocol itself was not hacked:

The Voltage Finance DeFi protocol wasn’t exploited. Ola Finance was exploited. We are partners of Ola and use their platform in a lending-as-a-service way. Ola Finance is a separate team, it doesn’t belong to Fuse.io nor Voltage Finance.

Source: https://u.today/ola-finance-hacked-for-4-million-details