Ola Finance victim of a crypto heist of 3.6 million euros despite a positive audit

DeFi targeted – Every day, new protocols are emerging in the DeFi ecosystem. In most cases, these protocols are forked from other protocols. Unfortunately, changes made to the code in some cases lead to the creation of critical flaws.

3.6 million stolen from Ola Finance

Hello Finance is a protocol called Ready as a service cross-chain, hosted on BNB Smart Chain, Fantom, Fuse, Moonbeam and Boba blockchains.

In practice, this allows anyone to create their own loan and savings protocol with the click of a button.

Originally, Ola Finance came from a Compound loan protocol code fork. At first glance, it is easy to think that Ola thus inherits Compound’s security, however, certain modifications to the code have led to the appearance of a critical flaw.

Thus, on Thursday March 31, the Peckshield teams alerted the Twitter community that an attack had taken place on the instance of Ola Finance deployed on Fuse Network.

Tweet announcing the flaw on Ola Finance – Source: Twitter.

As a result, the attacker managed to drain most of the cash deposited in the protocol pools. In total, his loot amounts to 4.6 million dollars and breaks down as follows:

  • USD 216,964.18;
  • $507,216.68B;
  • $200,000;
  • 550.45 WETH;
  • 26.25WBTC;
  • 1,240,000 FUSE.

For its part, the losses recorded by the protocol are even greater.

At the same time, Ola Finance announced that the flaw was apparently not present on instances of the protocol deployed on other blockchains. Compensation should also be announced in the coming days:

“In the coming days, we will publish a formal compensation plan detailing the distribution of funds to affected users.»


>> Play it safe. Registers on PrimeXBT (affiliate link) <

Reentrancy attack: a sense of déjà vu

Once is not custom, the modus operandi as well as the type of fault used has already been observed on many occasions.

Thus, the attacker took advantage of the presence of a so-called reentrancy fault. In practice, these flaws allow the attacker to make repeated calls to the protocol without it correctly updating the result of the calls. In this case, the reentrancy flaw was present on ERC 677 type tokens.

It should be noted, however, that an audit had been carried out and that remarks concerning the lack of testing vis-à-vis reentrancy attacks had been reported.

“General lack of reentrancy protections outside of CTokens. Although there are no other possible reentrancy issues, consider adding verification to be on the safe side.»

audit details.

At first, the attacker borrowed funds by posting collateral on the protocol. Subsequently, he was able withdraw its collateral without reimbursing the borrowed funds by taking advantage of the reentrancy loophole.

After the attack, funds were withdrawn to blockchains, BNB Smart Chain and Ethereum. On Ethereum, the funds passed through the protocol Tornado Cash in order to cover the tracks of the attacker.

Diagram of the movements of stolen funds.
Diagram of the movements of stolen funds.

This is the third time this month that a reentrancy attack has taken place. Indeed, in mid-March, the protocols Agave and Hundred Finance were the target of a similar attack. A total of $11.7 million was stolen from the two protocols.

Hacks are unfortunate hazards but not inevitable… Choose an exchange known for its excellence in security, and register now on the PrimeXBT platform. In addition, you benefit from a bonus of up to $7,000 on your first deposit thanks to our code 50DEPJDC (affiliate link, see conditions on the official site).

About the author


Leave a Comment