Key Takeaways:
- The exploit took place on Fuse Network.
- About $3.6 million lost in the incident. The funds are still with the hacker.
- Funds were funneled out via Tornado Cash.
Today Ola Finance Tweeted and informed their community that they are investigating an exploit that took place on the Fuse network (LeN). All other lending networks remain unaffected and they have pre-emptively paused borrowing capabilities to mitigate any risk.
According to our sources, the Ola Finance is exploited in a flurry of txs. It leads to a gain of ~$3.6M for the hacker (the protocol loss is larger). The txs hash is 0x1b3e06b6b310886dfd90a5df8ddbaf515750eda7126cf5f69874e92761b1dc90.
Our sources used the above hash to find out what has happened. They could find out the following:
H1: 0x632942c9BeF1a1127353E1b99e817651e2390CFF
H2: Ox9E5b7da68e2aE8aB1835428E6E0C83a7153f6112
CETH: 0x139Eb08579eec664d461f0B754c1F8B569044611
CBUSD: OxBaAFD1F5e3846C67465 FCbb536a52D5d8f484Abc
H2->CETH:
The hacker minted 27,284.948 OWETH by depositing 550.446 WETH
H2->CBUSD:
The hacker borrowed 507,216.676 BUSD then reentered to transfer (H2->H1): 27,284.948 OWETH + 507,216.676 BUSD
H1->CETH:
The hacker then redeemed 27,284.948 OWETH to get 550.446 WETH
Further, our sources could find that the hack is made possible due to the incompatibility between the Compound fork and ERC677/ERC777-based tokens. It has the built-in callback functions misused to allow for reentrancy to drain the lending pool. This step can be clearly seen in the image below.
The initial funds to launch the hack are withdrawn from TornadoCash and tunneled to the Fuse network via Fuse Bridge. The gains are tunneled via Fuse Bridge and currently funds still stay in the hacker’s account (0xbcdb800d77ccaac6597830b026d6af78a1118f42).
