Ola Finance DeFi platform hacked, nearly $5 million stolen

Decentralized lending platform Ola Finance said it was hacked on Thursday morning, reporting that about $4.67 million in cryptocurrency was stolen. 

Ola Finance confirmed reports from blockchain analysis firm PeckShield that 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, and 1,240,000.00 FUSE were stolen in the attack, which involved the exploitation of a “reentrancy” vulnerability.

Reentrancy attacks involve bugs in contracts that allow an attacker to withdraw funds repeatedly in a loop before the original transaction is approved or declined or the funds need to be returned. 

1/ The @ola_finance is exploited in a flurry of txs, leading to the gain of ~$3.6M for the hacker (the protocol loss is larger). Here is an example hack tx: https://t.co/9JfnBr9pfL

— PeckShield Inc. (@peckshield) March 31, 2022

The attack method has been used in several other decentralized finance (DeFi) hacks, including a $29 million hack of Cream Finance in August 2021 and a $2 million hack of DeFi protocol Revest Finance on Sunday. Ola Finance is a service provider responsible for building the lending network. The company works with Fuse Networks, which manages the lending network, and Voltage Finance, the user interface providing access to the lending network.Fuse Labs CEO Mark Smargon took to Twitter to explain that Ola Finance provides "lending-as-a-service" on Voltage Finance.

The company said it plans to release a “formalized compensation plan” that will explain how affected users will be reimbursed and a patch for the vulnerability will be published at a later date. 

“Until then, borrowing and lending for the lending network on Fuse will be temporarily disabled; users with borrowed assets are not accumulating interest and are encouraged not to repay their loans at this time (as they are unlikely to be able to withdraw their collateral),” the company said. 

“Once this patch is thoroughly tested and audited, full borrowing and lending capabilities on Voltage will resume.”

Ola Finance is a service provider responsible for building the lending network. The company works with Fuse Networks, which manages the lending network, and Voltage Finance, the user interface providing access to the lending network.

Fuse Labs CEO Mark Smargon took to Twitter to explain that Ola Finance provides "lending-as-a-service" on Voltage Finance.

After Ola Finance was notified of an exploit of the Voltage lending network, the company paused borrowing activity on all lending networks and halted the minting of new tokens. 

They also did not want borrowers to pay inflated interest rates because of the attack, so they changed the lending network’s interest rate models to reflect 0% APY for borrowers. 

1/2 Standing together, @ola_finance and @voltfinance remain united in our efforts to compensate users suffering from the latest exploit.

All projects accept responsibility and ask our communities to focus on the next steps of growth, rather than assigning blame.

— Ola Finance (@ola_finance) March 31, 2022

Ola Finance said it is working with Fuse and other outside experts to “trace the attacker” and they plan to contact the hacker in an effort to “negotiate the return of funds in exchange for a bounty.” 

Several other hacked DeFi platforms have attempted to compensate attackers in exchange for a return of stolen funds, with some finding middling success with the practice. 

The attack on Ola Finance comes just days after the Ronin Network announced that hackers stole more than $600 million worth of Ethereum and $25.5 million of US dollar-pegged stablecoin USDC. It is now considered one of the largest DeFi hacks to date.

Blockchain analysis firm Chainalysis said at least $2.2 billion was stolen from DeFi protocols in 2021.