“Lending-as-a-Service” provider Ola Finance was drained today in an eccentric hack
Ola Finance, a platform for building custom DeFi modules, had its Fuse-based mechanism leveraged from the Voltage Finance protocol. Cybersecurity provider PeckShield has already disclosed how attackers managed to drain cash.
Two protocols, two blockchains, six assets: another sophisticated hack in DeFi
PeckShield, a flagship blockchain security and data analytics vendor, announced today, on March 31, 2022, that Ola.Finance’s lending mechanism has been hacked.
Voltage Finance, an EVM-enabled first DeFi hub on the Fuse Network (FUSE) blockchain, has confirmed that its Ola Finance system has been dumped for $4,000,000:
We became aware of a breach on the @voltfinance lending platform around 3 hours ago leading to the theft of $4M in $USDC, $FUSD, $BUSD, $WBTC, $WETH & $FUSE.
According to PeckShield’s analysis, the hack became possible due to the lack of compatibility between Compound (COMP) forks – Ola Finance enables DeFi companies to create Compound-like systems – and Ethereum-based tokens of a standard particular.
ERC677/ERC777 tokens have built-in callback functions that allowed attackers to misuse Ola’s mechanism to drain accessed liquidity pools.
Attacks against cryptographic protocols are on fire in 2022
To carry out an attack, the hackers transferred funds from Ethereum through the Tornado Cash mixing system. Lately, funds have been returned to Ethereum addresses already reported by mainstream explorers.
Voltage Finance asked USD Coin (USDC) operator Circle Inc. and CEX teams to blacklist involved addresses on Ethereum (ETH) blockchain.
As covered by U.Today previously, DeFi hacks have shattered all previous highs in terms of the volume of stolen assets. Two days ago, Axie Infinity’s sidechain Ronin (RON) sold out for $625 million.
The Ronin (RON) hack appears to be the largest hack ever in decentralized finance (DeFi) history.
Update: The U.Today team has been contacted by Mr. Elvis Živković from Voltage Finance. According to his statement, the protocol itself was not hacked:
The Voltage Finance DeFi protocol wasn’t exploited. Ola Finance was exploited. We are partners of Ola and use their platform in a lending-as-a-service way. Ola Finance is a separate team, it doesn’t belong to Fuse.io nor Voltage Finance.
