Ola Finance Suffers $3.6M Re-Entrancy Attack

  • The attack happened on the Fuse Network, one of the many blockchains Ola operates on, and took advantage of a vulnerability in one of Ola’s smart contracts.
  • The project has paused all activities on Fuse Network, and noted the attack has not affected its services on other blockchains, which remain operational.
hacker

Shutterstock

Decentralized lending protocol Ola Finance has become the victim of a re-entrancy attack, which saw a hacker steal approximately $3.6 million worth of crypto from the project, the startup said on Twitter on 31 March.

According to the announcement, the attack happened on the Fuse Network — one of the many blockchains Ola Finance operates on — which prior to the attack had a total value locked of around $13 million. Shortly after detecting the attack, Ola quickly paused the use of its lending protocol on Fuse Network, but not before the hacker was able to get away with $3.6 million worth of crypto tokens. The project noted that its services on other blockchains were unaffected by the exploit, and will remain operational.

Blockchain security firm PeckShield, which worked with Ola to identify the exploit, said the hacker took advantage of a re-entrancy bug in one of Ola’s smart contracts. The individual first used his own funds — transferred from Tornado Cash so they remain untraceable — as collateral to borrow funds from Ola. He then took advantage of the vulnerability within the protocol to remove his collateral without repaying the loan, a process which was repeated several times on other Ola pools.

The attacker then used Fuse Network’s own cross-chain bridge to transfer the stolen funds to other blockchains, and currently holds $3 million on Ethereum, and another $637,000 on BNB Chain. Ola said it is still investigating the incident, and will come up with a post-mortem of the hack in the near future.

Discussion
Related Coverage
KuCoin Twitter Account Hacked, Exchange to Reimburse Losses
  • The Twitter account of the crypto exchange was compromised for roughly 45 minutes on Monday, resulting in 22 transactions connected to the hack.
  • KuCoin has calculated that the total asset losses were 22,638 USDT, and noted that it will fully reimburse users affected in the incident.
April 24, 2023, 8:59 AM
kucoin

Shutterstock

BonqDAO Exploited for $90M
  • A hacker was able to manipulate the price of the AllianceBlock token on BonqDAO, which allowed him to drain close to $90 million worth of crypto from the protocol.
  • Both platforms have paused their services, and are currently in the process of removing liquidity as to hinder the hacker’s ability to convert the stolen tokens.
North Korean Hackers Move 41,000 ETH Stolen From Harmony
  • North Korea’s Lazarus Group has moved around $63.5 million of crypto assets connected to the Harmony bridge hack over the weekend.
  • The hackers tried to move a portion of the funds through Binance and Huobi, but the exchanges were able to freeze their account and recover around 124 BTC.