An open-source, decentralised financial system called Ola Finance has been the victim of a re-entry assault that resulted in the loss of $3.6 million in cryptocurrency.
As Ola Finance summarised the attack and revealed that the stolen protocol value was around $4.67M in ETH, BTC, and FUSE pricing. There were 216,964 USDC, 507,216 BUSD, 200,000 fUSD, 550.45 WETH, 26.25 WBTC, and 1.24 million FUSE stolen by the hackers.
We will soon be publishing an official report detailing the exploit that occurred on the @voltfinance Lending Network and the plan for recourse.
Thank you to @peckshield for providing swift coverage and helping us analyze the root of the exploit.
Read Primer 🧵: https://t.co/UDU10C2YSa
— Ola.finance (@ola_finance) March 31, 2022
About the re-entrancy attack
PeckShield, a blockchain security startup, released a detailed analysis and diagnosis of the vulnerability.
In a re-entrancy attack, a threat actor exploited flaws in Ola Finance’s smart contracts to give a loan based on bogus collateral to the protocol’s decentralised lending platform.
According to the security company. Tornado Cash, an anonymous transfer mechanism, was used by the threat actor to withdraw cash.
Loans were withdrawn from Ola Finance’s decentralised lending platform when the cash from Tornado Cash was moved to the Fuse network, on which Ola Finance operates.
Using the built-in callback methods of ERC677 and ERC777 tokens, the hack was made possible because of the incompatibility between the Compound fork and these tokens.
Axie Infinity’s Ronin sidechain was attacked for $625 million in a previous assault on decentralised finance (DeFi) systems, making this the latest in a series of attacks.
After a number of high-profile hacks on DeFi systems, several experts have called for an enhanced examination of smart contract programming.
Hackers Have Their Eyes on DeFi
The $625 million Ronin network attack by Axie Infinity was just a few days before the Ola Finance hack. Ronin has been hacked to the tune of 173,600 ETH and 25.5 million USDC, making it one of DeFi’s biggest ever hacks.
Since the Ola Finance hack, reentrancy attacks have been utilised in several high-profile breaches. A reentry fault and a flash loan vulnerability were used to steal over $11 million from Agave and Hundred Finance on March 16, according to FXEmpire.
DeFi thefts are becoming more widespread, despite the fact that Ola Finance’s intrusion is less than those previously reported.