Source: https://cobaltstrike.net/2022/04/02/as-a-result-of-hacking-ola-finance-4-million-was-stolen/
The decentralized lending platform Ola Finance announced the hack on Thursday morning, reporting that about $4.67 million in cryptocurrency was stolen.
Ola Finance confirmed messages from the analytical company PeckShield that 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC and 1,240,000.00 FUSE were stolen during the attack, which included the use of a “re-entry” vulnerability.
Re-entry attacks involve errors in contracts that allow an attacker to repeatedly withdraw funds before the original transaction is approved or rejected, or the funds must be returned.
Hackers used their own funds as collateral to obtain an initial loan. Then, thanks to a vulnerability in the smart contract, they were able to withdraw their funds from the loan security. Repeating this action several times, the hackers received an unsecured loan of $ 3.6 million.
This attack method has been used in several other decentralized finance (DeFi) hacks, including the $29 million Cream Finance hack in August 2021 and the $2 million DeFi Revest Finance protocol hack on Sunday. Ola Finance is a service provider responsible for creating a credit network. The company works with Fuse Networks, which manages the credit network, and uses the Voltage Finance user interface, which provides access to the credit network.
The company plans to release a “formalized compensation plan” in which it will tell about compensation to affected users, and a fix for the vulnerability will be published later.
“The borrowing and lending of the credit network on Fuse will be temporarily disabled; users with borrowed assets are not accumulating interest, and they are advised not to pay their loans at the moment (as they are unlikely to be able to withdraw their collateral),” the company said.
“After this patch is thoroughly tested and verified, all borrowing and lending opportunities in Voltage will resume.”
Ola Finance said it is working with Fuse and other external experts to “track down the attacker,” and they plan to contact the hacker to “negotiate a refund in exchange for a reward.”