DeFi Lending Protocol Ola Finance Exploited for $3.6M

Key Insights:

• DeFi lending protocol Ola Finance announced an exploit that allowed an attacker to steal $3.6 million.
• The attacker took advantage of a reentrancy bug in Ola’s smart contracts.
• This comes just a week after the exploit of Axie Infinity’s Ronin network. 

It was no April Fool joke for Ola Finance when over $3.6 million were siphoned off the protocol in a recent exploit. DeFi protocols have been an easy target for hackers as more and more security breaches have surfaced over the last couple of years.

Another DeFi hack

On April 1, decentralized lending protocol Ola Finance revealed that it suffered an exploit that allowed hackers to grab $3.6 million worth of cryptocurrencies from the platform.

1/2 Standing together, @ola_finance and @voltfinance remain united in our efforts to compensate users suffering from the latest exploit.

All projects accept responsibility and ask our communities to focus on the next steps of growth, rather than assigning blame.

— Ola.finance (@ola_finance) March 31, 2022

Ola Finance published a summary of the exploit, revealing that the value stolen from the protocol summed up to around $4.67M in ETH, BTC, and FUSE prices. The attackers managed to steal around 216,964 USDC, 507,216 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, and 1.24 million FUSE.

PeckShield, a blockchain security firm that worked with Ola to investigate the exploit, disclosed that the attacker took advantage of a ‘reentrancy’ bug in one of Ola’s smart contracts. The hack was made possible due to the incompatibility between Compound fork and ERC677/ERC777-based tokens, which have the built-in callback functions misused to allow reentrancy to drain the lending pool.

Ola’s DeFi protocol operates across various blockchains. In the recent attack hackers targeted its deployment on the Fuse network. Fuse is an Ethereum Virtual Machine-compatible blockchain with around $12.8 million in total value locked (TVL) before the attack.

Hackers Targeting DeFi

The Ola Finance hack comes only a few days after the $625 million exploit of Axie Infinity’s Ronin network. The Ronin hack is one of the largest in DeFi history, where a whopping 173,600 ETH and  25.5M USDC were drained from Ronin bridge just last week.

Furthermore, the reentrancy attack used for the Ola Finance hack isn’t the first one this year. On March 16, attacker siphoned over $11 million from Agave and Hundred Finance by introducing a reentrancy bug and using a flash loan exploit to siphon funds, as reported by FXEmpire.

Even though the Ola Finance hack is relatively smaller than the aforementioned attacks, it reminds us of the multimillion-dollar thefts that are now fairly common in DeFi.