$4 670 000 USD

MARCH 2022

GLOBAL

OLA FINANCE

DESCRIPTION OF EVENTS

"A decentralized protocol for programmable lending." "Ola Finance is a Lending-as-a-Service platform that allows anyone to create their own branded lending network at the click of a button. Each Lending Network (LeN) consists of a number of different tokens, determined by the network creator, which can be lent and borrowed."

 

"Ola's goal is to create an inclusive lending protocol within DeFi where assets can be listed without needing to pass cumbersome and expensive governance schemes or comply with numerous requirements (deep liquidity, high trading volumes, low volatility, etc.). Ola supports all kinds of assets: from early-stage governance tokens to different stablecoins and backed assets, all the way to exotic receipt tokens."

 

"Ola Finance is not another Compound or Aave. Rather, Ola is a technology provider that enables others to build Compound-like instances governed and controlled by the creator."

 

"Initially launched as “Fuse Lending Network’’, the key benefit for Fuse was to have lending launched on the platform without needing to internalize the resources typically needed for this type of implementation."

 

"The collaboration with Fuse entails Ola Finance managing smart contract architecture and implementation as well as integrations that are core to the Ola platform such as price oracles. The creator, Fuse in this case, makes decisions about lending network configurations, including which tokens to list and parameters to set, such as collateral and liquidation factors within fixed ranges set by Ola Finance. Both parties benefit from the collaboration via a revenue sharing model."

 

"In summer 2021 the process of integrating Ola into Voltage Finance (formerly FuseFi) began. Voltage Finance is the first all in one DeFi platform on Fuse Network, created by the Fuse Foundation and later spun out into an independent DAO in March 2022. Voltage Finance featured available lending assets’ data and APYs, requiring the user to redirect to the Ola platform in order to execute lending and borrowing orders. Full integration allowing the user to lend and borrow directly on Voltage Finance was part of the roadmap."

 

"On April 1, decentralized lending protocol Ola Finance also suffered an exploit that allowed hackers to grab $3.6 million worth of cryptocurrencies from the platform."

 

"The exploit occurred at around 2am UTC on 31st March. The value stolen summed up to ~$4.67M at the time of the attack in ETH, BTC and FUSE prices: 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, 1,240,000.00 FUSE." "At approximately 5am on 31st March (UTC +3), The lending network on Fuse blockchain was exploited for 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, and 1,240,000.00 FUSE. The value stolen sums up to ~$4.67M in today’s ETH, BTC and FUSE prices."

 

"The initial funds to launch the hack are withdrawn from @TornadoCash and tunneled to Fuse network via Fuse Bridge."

 

"The hack is made possible due to the incompatibility between Compound fork and ERC677/ERC777-based tokens, which have the built-in callback functions misused to allow for reentrancy to drain the lending pool." "The attack used a reentrancy vulnerability in the ERC677 token standard. Analyzing one of the heist transactions, we found the following series of events:"

 

"(1) Attacker transferred WETH from C1 to C2."

 

"(2) Attacker minted oWETH to C2 (transferring WETH to the oWETH contract)."

 

"(3) Attacker borrowed XXX token to C2 from the oXXX contract."

 

"(4) Since XXX is an ERC677, a callback function was called on C2 during the transfer of XXX from oXXX to C2. In this callback, the attacker transferred the oWETH from C2 to C1. This was possible because the state that updates C2’s borrow balance (and would prevent the transfer of the oWETH) was not updated yet."

 

"(5) Since C1 had no borrow balance it could redeem the oWETH back to WETH."

 

"(6) The attacker ended up with both the WETH used as collateral to borrow the XXX token and the XXX token they borrowed."

 

"(7) To steal fUSD and FUSE (which are not ERC677), the attacker used the WETH they had already stolen to mint oWETH and borrow all available fUSD and FUSE tokens. Then, they took advantage of the same reentrancy vulnerability to retrieve back the WETH they had just deposited and used as collateral to borrow the fUSD and FUSE."

 

"In the first heist transaction, the attacker took a 515 WETH flash loan from the WETH-WBTC pair on Voltage.Finance to fund the attack. In later transactions, the attacker avoided a flash loan by using the funds that had already been stolen." "The gains [were] tunneled via Fuse Bridge and currently funds still stay in the hacker’s account."

 

Ola Finance said on Twitter at the time: "We are investigating an exploit that took place on the @Fuse_network LeN. All other lending networks remain unaffected, and we have pre-emptively paused borrowing capabilities to mitigate any risk."

 

"[A] few mechanisms were quickly implemented to control the situation. First, we paused borrowing activity on all our lending networks until we were 100% certain that this vulnerability doesn’t apply to any of them. In addition, we paused the minting of new tokens (i.e. supplying tokens) to the lending network to safeguard users seeking high APYs without awareness of the situation. Finally, we changed the lending network’s interest rate models to reflect 0% APY for borrowers and set all RainMaker speeds to 0; this way, borrowers would not pay inflated interest rates as a result of the attack."

 

"In this joint blog post we aim to provide a complete overview of events concerning the very unfortunate exploit which took place on 31st March leading to the theft of over $4 million and plans to make amends to those affected."

 

"As of writing, the stolen funds are still being held by the attacker on Ethereum and BNB Chain. Legal authorities have been alerted and we are working to prohibit the attacker from making any legal use of funds."

 

"An attempt was made to establish contact with the hacker via data input on an Ethereum transaction on Thursday 31st March following the exploit. As of yet we have received no communication from him/her."

 

"Important lessons have been learned about the importance of taking a step back to consider risk during periods of rapid growth. We are convinced that the entire, collective community will come out of this stronger than ever. We’re more galvanized than ever in our mission to take DeFi mainstream. We also realize that, whilst unfortunate events like this can occur when battle-testing cutting-edge technology, making user safety a number one priority is crucial to the industry’s long-term success."

 

"We are providing our partners the ability to pause money markets in their lending network. When activated, this will temporarily stop the ability to supply and/or borrow additional tokens from a market. This feature will not affect any current positions, including a user’s ability to repay loans or withdraw collateral. Pausing functionalities can halt an attacker in the midst of draining a market, thus preventing additional funds from being stolen. The ability to call this function will only be given to whitelisted addresses."

 

"We will release a report analyzing the token transfer logic of all tokens currently used in our partners’ lending networks. In addition, we will continue to update this report for tokens listed by network owners in the future to ensure there are no vulnerabilities presented within a token’s contract. This report will be publicly listed on Ola Finance’s Gitbook."

 

"The Ola and Fuse teams are working on a UI to facilitate the distribution of funds and will share access to the UI once complete." "We have collected final data concerning those affected by the attack and have developed a joint compensation plan between all parties involved."

 

"Compensation from Ola Finance will be provided as follows: Ola Finance pledges 400K of its future token distributed over 1 year from the TGE (date to be determined) and split proportionately among victims based on their percentage of the total amount stolen. Ola plans to generate 100M tokens, thereby designating 400K OLA as 0.4% of the total supply to reimburse the victims. While the future price of the Ola token is currently undetermined, victims have the option of receiving immediate compensation by converting their future token options to USDC at the value of $1 per Ola token. Currently, this option is limited to $200,000; however, should demand exceed this, Ola will work to bring in additional funds."

 

"1/2 Standing together, @ola_finance and @voltfinance remain united in our efforts to compensate users suffering from the latest exploit. All projects accept responsibility and ask our communities to focus on the next steps of growth, rather than assigning blame."

 

"The lending market will be reinstated as soon as both parties, along with security partners, are confident that ample measures have been taken to mitigate any future risk. The estimated time is 1–2 months."

Ola Finance offers a service which allows others to launch decentralized lending platforms. There was a reentrancy exploit in the smart contract which was exploited by an attacker to take a significant amount of funds. The attacker was unable to be reached to negotiate the return of the funds, however the Ola Finance developers have agreed to put in place a compensation scheme for those affected users.

HOW COULD THIS HAVE BEEN PREVENTED?

It would be recommended that platforms get at least 2 independent security audits and a third after 6 months of operation. This level of diligence would greatly reduce the risk of an exploit.

 

We have proposed that platforms fund a collective industry insurance fund, which would then be available to cover losses. The loss amount can be reduced by having the majority of funds in offline cold storage, protected by a multi-signature wallet, until a project is sufficiently established that full coverage is affordable.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.