A decentralized finance (DeFi), identified as Ola Finance recently recorded a security breach, losing about $4.6 million in the exploit. This development, however, means the industry is now recording another security breach within a week. Recall that the industry recorded her largest ever hack early this week. The recent exploitation, identified as a reentrancy attack and involving a decentralized lending protocol, Ola Finance led to the loss of $4.6 million.
The announcement of the post mortem of the security breach on April 1 serves overwhelms her users. According to reports from the team, the Ola Finance network became exploited on the fuse blockchain last Thursday. As reported, a total of about 216, 964 USDC, 507,216 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, and 1.24 million FUSE tokens became stolen in the breach. Accordingly, the overall worth of prices of the funds as at press time amounts to about $4.66 million.
According to a security firm, identified as PeckShield, about $3.6 million was reportedly stolen. The firm, however, stressed that the loss incurred by Ola Finance remains huge. PeckShield further that the Ola Finance exploitation manifested through a reentrancy vulnerability enveloped in the ERC677 token mechanism. This, however, entails a smart contract bug, allowing malicious attackers to initiate repeated calls to the protocol. With this, the malicious attackers become eligible to steal assets.
The team, however, stressed that the hack manifested owing to the incompatibility of the compound fork and ERC677/ERC777 based tokens. This undoubtedly led to the misuse of the callback functions, allowing for reentrancy to trickle the lending pool.
How the reentrancy attack on Ola Finance manifested
The malicious attackers of Ola Finance first borrowed funds via their own collateral. Afterward, they banked on the reentrancy vulnerability in Ola Finance’s smart contracts to evict the collateral without returning the loan.
According to the report, the early exploitation involved a 515 wrapped ETH flash loan, derived from the WETH/WBFC pair. This manifested in Voltage finance to enable them to fund the heist. The hacker accordingly repeated the process which led to the pilfering of about $3.6 million in crypto. The stolen funds became washed via the Tornado Cash transaction anonymizing service.
Ola Finance, however, reiterates its commitment to compensating its users (victims), but yet to give details of the compensation plan. The decentralized lending protocol assures the release of a formal compensation plan in the coming details. According to the protocol, the plan incurs gathering the distribution of funds to affected users of the platform.
In addition, Ola Finance intends to reach out to the attacker in a bid to solicit the return of the funds in exchange for a bounty. Accordingly, the token of the Voltage Finance FUSE already tanked 21% following the security breach in the hours. Now, the token trades at $0.448.
Recall that the security breach on Ola Finance manifested in the same week that Axie Infinity’s Ronin bridge got exploited. The exploitation of the Axie Infinity according to reports amounts to a mouthwatering $615 million, becoming the industry’s biggest attack.
Sky Mavis, the developer of a renowned metaverse game, reiterates assurances in reimbursing the affected victims of the security breach. Recall also that a DeFi lending protocol, Hundred Finance lost over $6.5 million via a similar reentrancy security breach.