$292 000 USD

OCTOBER 2022

GLOBAL

OLYMPUSDAO

DESCRIPTION OF EVENTS

"The Olympus protocol is a decentralized financial (DeFi) system that supports OHM, a treasury backed, liquidity-enabling token on the Ethereum network. Olympus leverages the mechanisms of Protocol Owned Liquidity (POL), Range Bound Stability (RBS) and Cooler Loans to create a robust, flexible, censorship-resistant, and smart money.

 

The goal of Olympus is to build a programmatic policy-controlled money that:

 

Preserves purchasing power via long-term price predictability. Maintains reliable liquidity across decentralized exchanges. Is used as a unit of account (e.g., by being paired against many other decentralized assets) Is utilized as a trusted asset (e.g., to collateralize other assets or deposited into protocols’ treasuries). Is fully decentralized and controlled by the community Is financially flexible, allowing users to borrow the backing against their money"

 

"Fiat-pegged stablecoins have become an essential part of crypto due to their lack of volatility as compared to tokens such as Bitcoin and Ether. Users are comfortable with transacting stablecoins knowing they hold the same amount of purchasing power today vs. tomorrow. Unfortunately, this is a fallacy. Fiat dollars are controlled by centralized government monetary policy and always decrease in purchasing power (inflation). This depreciation of the dollar also means a depreciation of these stablecoins. Olympus provides an alternative to Web3’s reliance on centralized, censorable stablecoin assets."

 

"In October 2022, OlympusDAO was the victim of an attack. The attacker exploited a smart contract vulnerability to steal 30,000 OHM tokens." "A malicious actor used a smart contract flaw on Friday, October 21, 2022, to take 30,437 OHM tokens from the Olympus DAO. Following the event, it was discovered that OHM tokens worth roughly $300,000 were stolen by hackers."

 

"According to Peckshield, the hacker exploited the contract’s “BondFixedExpiryTeller,” inability to validate the transfer request properly. The firm continued, “the related OlympusDAO’s BondFixedExpiryTeller contract has a redeem() function that does not properly validate the input, resulting in ~$292K loss.”"

 

"The OHM tokens in the Bond Contract could be redeemed by an attacker since the redeem() function accepts tokens without requiring any input validation and gives the attacker the ability to use their own malicious contract. Since the malicious contract will be in the hands of the attacker, they will have complete control over the value they provide for the “amount_” parameter. The attacker, who is represented by msg.sender, will then receive the same number of OHM tokens as a result of this. An attacker may then redeem and transfer all the tokens!"

 

"The OlympusDAO team confirmed the exploit on its Discord channel, revealing that the attacker drained the funds from the OHM bond contract with Bond Protocol. The protocol also stated that the bug was not found by its auditors, and the attacker could have earned much more if he had reported it via Immunefi."

 

"The hacker restored the stolen assets to the protocol shortly after, and Olympus DAO notified users in a subsequent update."

The Olympus protocol is a decentralized financial system supporting OHM, a treasury-backed token on Ethereum. Leveraging mechanisms like Protocol Owned Liquidity and Range Bound Stability, Olympus aims to create robust, censorship-resistant smart money. Despite stablecoins' reliance on centralized assets, Olympus offers an alternative, providing long-term price predictability and reliable liquidity. However, in October 2022, OlympusDAO fell victim to an attack, where a hacker exploited a smart contract vulnerability, stealing 30,000 OHM tokens worth around $292,000. The flaw allowed the attacker to control the redemption process, prompting OlympusDAO to notify users and confirming the exploit on its Discord channel. Fortunately, the hacker returned the stolen assets shortly after.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.