Fuse Lending, an implementation of the Ola Finance lending protocol, was hacked on March 31 on the Fuse network. The hacker pocketed around $4.6 million in various assets, mostly in ethers (ETH) and bitcoins (BTC).
The attack on Fuse Lending
Fuse Lending , Inc. (“FUSE”) is a wholly owned subsidiary of Globe Fintech Innovations, Inc. (doing business as “Mynt”). Fuse Lending is a licensed lending institution that caters to the underserved and unbanked population of the Philippines. It aims to create and sustain opportunities for growth and stability for individuals and businesses alike through responsible, fintech-focused lending.
Fuse Lending is regulated by the Securities and Exchange Commission (SEC) of the Philippines. And fully complies with its rules and regulations.
On April 1, decentralized lending protocol Ola Finance revealed, on Twitter and Medium , that it had suffered an attack that saw hackers stealing many cryptocurrencies worth $4.6 million from the platform. .
The attack occurred through a reentrancy vulnerability in the ERC677 token standard. Reentrancy is a common bug that allows attackers to trick a smart contract into making repeated calls to a protocol in order to steal assets. A call is an authorization for the smart contract address to interact with a user's wallet address.
You can read on medium:
“Around 5am on March 31 (UTC+3), the Ola lending network on the Fuse blockchain was mined for 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH , 26.25 WBTC and 1,240,000.00 FUSE. The value stolen amounts to ~$4.67 million at the current price of ETH, BTC, and FUSE.” Learn all about wrapped tokens here .
Then revealing the addresses on the Fuse Chain, Ethereum, BNB chain that you can find on their medium.
On the same day, BAYC (Bored Ape Yacht Club) fell victim to a Discord hack .
Ola finance was able to divide the attack against its service into 6 stages:
1. Attacker transferred WETH from C1 to C2.
2. The attacker has mint oWETH at C2 (transferring WETH to the oWETH contract).
3. The attacker borrowed XXX token from C2 from the oXXX contract.
4. Since XXX is an ERC677, a callback function was called on C2 while transferring XXX from oXXX to C2. In this callback, the attacker transferred the oWETH from C2 to C1. This was possible because the state that updates C2's loan balance (and would prevent oWETH from being transferred) was not yet updated.
5. Since C1 had no loan balance, he could redeem the oWETH for WETH.
6. The attacker ended up with the WETH used as collateral to borrow the XXX token and the XXX token he borrowed.
The next steps
Ola finance is working on several points. First trace and identify all “problem” tokens. Currently it is impossible to borrow and lend tokens in order to give teams time to identify all the flaws.
Finally, we can read on medium: “ In the coming days, we will publish a formal compensation plan detailing the distribution of funds to affected users. This plan will be accompanied by additional articles describing in more detail the “next steps” that we will take. We thank our partners for their support in analyzing this attack and helping us find a quick solution. »
It's not a funny April Fool's joke for investors or for Ola Finance, but these are the risks and realities of DeFi. Always be careful and diversify your investments and DeFi or even CeFi sites. As the saying goes, don't put all those eggs in one basket.