Ola Finance, a platform for creating customized DeFi modules, has had its Fuse-based mechanism of Voltage Finance protocol exploited. PeckShield cybersecurity provider has already unveiled how the attackers managed to drain liquidity.
Two protocols, two blockchains, six assets: another sophisticated hack in DeFi
PeckShield, a flagship blockchain security and data analytics vendor, announced today, on March 31, 2022, that Ola.Finance’s lending mechanism has been hacked.
1/ The @ola_finance is exploited in a flurry of txs, leading to the gain of ~$3.6M for the hacker (the protocol loss is larger). Here is an example hack tx: https://t.co/9JfnBr9pfL
— PeckShield Inc. (@peckshield) March 31, 2022
Voltage Finance, a first DeFi hub on EVM-compatible blockchain Fuse Network (FUSE), confirmed that its Ola Finance system was drained for $4,000,000:
We became aware of a breach on the @voltfinance lending platform around 3 hours ago leading to the theft of $4M in $USDC, $FUSD, $BUSD, $WBTC, $WETH & $FUSE.
As per PeckShield’s analysis, the hack became possible due to the lack of compatibility between Compound (COMP) forks—Ola Finance enables DeFi businesses to build Compound-like systems—and Ethereum-based tokens of a particular standard.
ERC677/ERC777 tokens have built-in callback functions that allowed attackers to misuse Ola’s mechanism to drain accessed liquidity pools.
Attacks on crypto protocols are on fire in 2022
Hackers transferred funds from Ethereum through the Tornado Cash mixing system to perform an attack. Lately, the funds were returned to Ethereum addresses that mainstream explorers already flag.
Voltage Finance asked USD Coin (USDC) operator Circle Inc. and CEX teams to blacklist involved Ethereum (ETH) blockchain addresses.
DeFi hacks smashed all previous highs in terms of volume of stolen assets. Two days ago, Axie Infinity’s sidechain, Ronin (RON), was drained for $625 million.
The Ronin (RON) hack appears to be the largest hack ever in decentralized finance (DeFi) history.
According to Mr. Elvis Živković of Voltage Finance. statement, the protocol itself was not hacked:
The Voltage Finance DeFi protocol wasn’t exploited. Ola Finance was exploited. We are partners of Ola and use their platform in a lending-as-a-service way. Ola Finance is a separate team, it doesn’t belong to Fuse.io nor Voltage Finance.