Azoundria: Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/olympusdaobondcontractexploited.php}} {{Unattributed Sources}} OlympusDAO Homepage/LogoThe Olympus protocol is a decentralized financial system supporting OHM, a treasury-backed token on Ethereum. Leveraging mechanisms like Protocol Owned Liquidity and Range Bound Stability, Olympus aims to create robust, censorship-resistant smart money. Despite stablecoins' reliance..."

2024-02-13T19:54:57Z

Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/olympusdaobondcontractexploited.php}} {{Unattributed Sources}} thumb|OlympusDAO Homepage/LogoThe Olympus protocol is a decentralized financial system supporting OHM, a treasury-backed token on Ethereum. Leveraging mechanisms like Protocol Owned Liquidity and Range Bound Stability, Olympus aims to create robust, censorship-resistant smart money. Despite stablecoins' reliance..."

New page

{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/olympusdaobondcontractexploited.php}}
{{Unattributed Sources}}

[[File:Olympusdao.jpg|thumb|OlympusDAO Homepage/Logo]]The Olympus protocol is a decentralized financial system supporting OHM, a treasury-backed token on Ethereum. Leveraging mechanisms like Protocol Owned Liquidity and Range Bound Stability, Olympus aims to create robust, censorship-resistant smart money. Despite stablecoins' reliance on centralized assets, Olympus offers an alternative, providing long-term price predictability and reliable liquidity. However, in October 2022, OlympusDAO fell victim to an attack, where a hacker exploited a smart contract vulnerability, stealing 30,000 OHM tokens worth around $292,000. The flaw allowed the attacker to control the redemption process, prompting OlympusDAO to notify users and confirming the exploit on its Discord channel. Fortunately, the hacker returned the stolen assets shortly after.

This is a global/international case not involving a specific country.<ref name="redditold-13022" /><ref name="cryptoslate-13023" /><ref name="etherscan-13024" /><ref name="peckshieldtwitter-13025" /><ref name="etherscan-13026" /><ref name="peckshieldtwitter-13027" /><ref name="olympusdaotwitter-13028" /><ref name="olympusdaotwitter-13029" /><ref name="olympusdaofinancedocs-13030" /><ref name="halborn-13031" /><ref name="coinmonksmedium-13032" />

== About OlympusDAO ==
"The Olympus protocol is a decentralized financial (DeFi) system that supports OHM, a treasury backed, liquidity-enabling token on the Ethereum network. Olympus leverages the mechanisms of Protocol Owned Liquidity (POL), Range Bound Stability (RBS) and Cooler Loans to create a robust, flexible, censorship-resistant, and smart money.

The goal of Olympus is to build a programmatic policy-controlled money that:

Preserves purchasing power via long-term price predictability.
Maintains reliable liquidity across decentralized exchanges.
Is used as a unit of account (e.g., by being paired against many other decentralized assets)
Is utilized as a trusted asset (e.g., to collateralize other assets or deposited into protocols’ treasuries).
Is fully decentralized and controlled by the community
Is financially flexible, allowing users to borrow the backing against their money"

"Fiat-pegged stablecoins have become an essential part of crypto due to their lack of volatility as compared to tokens such as Bitcoin and Ether. Users are comfortable with transacting stablecoins knowing they hold the same amount of purchasing power today vs. tomorrow. Unfortunately, this is a fallacy. Fiat dollars are controlled by centralized government monetary policy and always decrease in purchasing power (inflation). This depreciation of the dollar also means a depreciation of these stablecoins. Olympus provides an alternative to Web3’s reliance on centralized, censorable stablecoin assets."

"In October 2022, OlympusDAO was the victim of an attack. The attacker exploited a smart contract vulnerability to steal 30,000 OHM tokens." "A malicious actor used a smart contract flaw on Friday, October 21, 2022, to take 30,437 OHM tokens from the Olympus DAO. Following the event, it was discovered that OHM tokens worth roughly $300,000 were stolen by hackers."

"According to Peckshield, the hacker exploited the contract’s “BondFixedExpiryTeller,” inability to validate the transfer request properly. The firm continued, “the related OlympusDAO’s BondFixedExpiryTeller contract has a redeem() function that does not properly validate the input, resulting in ~$292K loss.”"

"The OHM tokens in the Bond Contract could be redeemed by an attacker since the redeem() function accepts tokens without requiring any input validation and gives the attacker the ability to use their own malicious contract. Since the malicious contract will be in the hands of the attacker, they will have complete control over the value they provide for the “amount_” parameter. The attacker, who is represented by msg.sender, will then receive the same number of OHM tokens as a result of this. An attacker may then redeem and transfer all the tokens!"

"The OlympusDAO team confirmed the exploit on its Discord channel, revealing that the attacker drained the funds from the OHM bond contract with Bond Protocol. The protocol also stated that the bug was not found by its auditors, and the attacker could have earned much more if he had reported it via Immunefi."

"The hacker restored the stolen assets to the protocol shortly after, and Olympus DAO notified users in a subsequent update."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

* Known history of when and how the service was started.
* What problems does the company or service claim to solve?
* What marketing materials were used by the firm or business?
* Audits performed, and excerpts that may have been included.
* Business registration documents shown (fake or legitimate).
* How were people recruited to participate?
* Public warnings and announcements prior to the event.

Don't Include:
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
* Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - OlympusDAO Bond Contract Exploited
!Date
!Event
!Description
|-
|October 13th, 2022 12:39:00 PM MDT
|Twitter Report
|OlympusDAO tweets to "further stress that this is still a testing period and not the full OHM Bonds release".
|-
|October 20th, 2022 11:22:47 PM MDT
|Exploit Transaction
|The exploiter manages to steal 30,437.077948152 OHM.
|-
|October 21st, 2022 5:16:00 AM MDT
|Technical Analysis
|PeckShield posts a technical analysis of the exploit.
|-
|October 21st, 2022 8:29:35 AM MDT
|Funds Returned
|A blockchain transaction returns 30,437.077948152 OHM.
|-
|October 21st, 2022 8:48:00 AM MDT
|Fund Return Reported
|PeckShield reports on the return of funds.
|-
|October 21st, 2022 10:58:14 AM MDT
|CryptoSlate Article
|CryptoSlate reports on the hacker returning funds.
|-
|October 21st, 2022 11:09:24 AM MDT
|Reddit Discussion
|Discussion posted on Reddit.
|-
|October 25th, 2022 9:41:00 AM MDT
|Range Bound Stability
|A range-bound stability smart contract is "on the horizon" with "[t]hree audits".
|}

== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

== Total Amount Lost ==
$292k

The total amount lost has been estimated at $292,000 USD.

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
The total amount recovered has been estimated at $292,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="redditold-13022">[https://old.reddit.com/r/CryptoCurrency/comments/y9yzr7/white_hat_hacker_returns_300k_gained_from/itav49r/ Stankoman comments on White hat hacker returns $300k gained from OlympusDAO exploit] (Mar 16, 2023)</ref>

<ref name="cryptoslate-13023">[https://cryptoslate.com/white-hat-hacker-returns-300k-gained-from-olympusdao-exploit/ White hat hacker returns $300k gained from OlympusDAO exploit] (Feb 9, 2024)</ref>

<ref name="etherscan-13024">[https://etherscan.io/tx/0x3ed75df83d907412af874b7998d911fdf990704da87c2b1a8cf95ca5d21504cf Ethereum Transaction Hash (Txhash) Details | Etherscan] (Feb 9, 2024)</ref>

<ref name="peckshieldtwitter-13025">[https://twitter.com/peckshield/status/1583470179803049984 @peckshield Twitter] (Feb 9, 2024)</ref>

<ref name="etherscan-13026">[https://etherscan.io/tx/0xd38c92dc3de78ad282c2403a434db28fc47d3bbecdaece08c2bf91bd333c918e Ethereum Transaction Hash (Txhash) Details | Etherscan] (Feb 9, 2024)</ref>

<ref name="peckshieldtwitter-13027">[https://twitter.com/peckshield/status/1583416829237526528 @peckshield Twitter] (Feb 9, 2024)</ref>

<ref name="olympusdaotwitter-13028">[https://twitter.com/OlympusDAO/status/1580629201744367619 @OlympusDAO Twitter] (Feb 9, 2024)</ref>

<ref name="olympusdaotwitter-13029">[https://twitter.com/OlympusDAO/status/1584933291416702977 @OlympusDAO Twitter] (Feb 13, 2024)</ref>

<ref name="olympusdaofinancedocs-13030">[https://docs.olympusdao.finance/ Olympus Docs | Olympus Docs] (Feb 13, 2024)</ref>

<ref name="halborn-13031">[https://www.halborn.com/blog/post/explained-the-olympusdao-hack-october-2022 Explained: The OlympusDAO Hack (October 2022)] (Feb 13, 2024)</ref>

<ref name="coinmonksmedium-13032">[https://medium.com/coinmonks/the-olympusdao-hack-is-detailed-october-2022-57dbfc4e9207 The Olympusdao Hack Is Detailed October 2022] (Feb 13, 2024)</ref></references>

OlympusDAO Bond Contract Exploited - Revision history