Ola Finance Exploited, Around $3.6M Lost
- The exploit took place on Fuse Network.
- About $3.6 million lost in the incident. The funds are still with the hacker.
- Funds were funneled out via Tornado Cash.
Today Ola Finance Tweeted and informed their community that they are investigating an exploit that took place on the Fuse network (LeN). All other lending networks remain unaffected and they have pre-emptively paused borrowing capabilities to mitigate any risk.
According to our sources, the Ola Finance is exploited in a flurry of txs. It leads to a gain of ~$3.6M for the hacker (the protocol loss is larger). The txs hash is 0x1b3e06b6b310886dfd90a5df8ddbaf515750eda7126cf5f69874e92761b1dc90.
Our sources used the above hash to find out what has happened. They could find out the following:
CBUSD: OxBaAFD1F5e3846C67465 FCbb536a52D5d8f484Abc
The hacker minted 27,284.948 OWETH by depositing 550.446 WETH
The hacker borrowed 507,216.676 BUSD then reentered to transfer (H2->H1): 27,284.948 OWETH + 507,216.676 BUSD
The hacker then redeemed 27,284.948 OWETH to get 550.446 WETH
Further, our sources could find that the hack is made possible due to the incompatibility between the Compound fork and ERC677/ERC777-based tokens. It has the built-in callback functions misused to allow for reentrancy to drain the lending pool. This step can be clearly seen in the image below.
The initial funds to launch the hack are withdrawn from TornadoCash and tunneled to the Fuse network via Fuse Bridge. The gains are tunneled via Fuse Bridge and currently funds still stay in the hacker’s account (0xbcdb800d77ccaac6597830b026d6af78a1118f42).