Lending protocol Ola Finance has just suffered a hack on Fuse Network, one of the blockchains it operates on. The hackers reportedly stole relatively $4 million in various assets.
According to the report, the attack was made easy by a reentrancy bug, a smart contract vulnerability that gives attackers the room to make repeated calls to a protocol so as to steal assets.
A couple of hours ago, Voltage Finance shared the incident on Twitter, stating that the theft involved six different digital assets.
Voltage Finance tweeted, “We became aware of a breach on the @voltfinance lending platform around 3 hours ago leading to the theft of $4M in $USDC, $FUSD, $BUSD, $WBTC, $WETH & $FUSE. We are collaborating with our Lending-as-a-Service partner, Ola Finance, for preliminary investigation.”
Ola Finance also confirmed the attack in a tweet:
“We are investigating an exploit that took place on the Fuse Network LeN. All other lending networks remain unaffected, and we have pre-emptively paused borrowing capabilities to mitigate any risk. We are working to offer timely updates and a full report will be provided.”
We are investigating an exploit that took place on the @Fuse_network LeN. All other lending networks remain unaffected, and we have pre-emptively paused borrowing capabilities to mitigate any risk.
We are working to offer timely updates and a full report will be provided. https://t.co/Ki8T3JNRAM
— Ola.finance (@ola_finance) March 31, 2022
In a conversation with The Block, security firm PeckShield said hackers of Ola Finance started by borrowing funds using their own collateral. After that, they took advantage of the reentrancy vulnerability within Ola Finance’s smart contracts by removing the collateral without paying back the loan.
The process was repeated by the hackers on other Ola Finance pools to steal relatively $4 million in various assets.
As soon as the funds were successfully drained, the attackers moved them from Fuse to other blockchains, including BNB Chain and Ethereum, using Fuse Network’s cross-chain bridge. Currently, $3 million of the stolen funds are held on the Ethereum blockchain.