Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/polterfinanceunauditedcontractpricemanipulation.php}} {{Unattributed Sources}} Polter Finance Logo/HomepagePolter Finance is a decentralized non-custodial lending and borrowing platform. On November 16th, the team started an upgrade to their smart contract. However, the new code had not been audited. There was a price manipulation vulnerability due to ge..."

2024-12-03T21:15:56Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/polterfinanceunauditedcontractpricemanipulation.php}} {{Unattributed Sources}} thumb|Polter Finance Logo/HomepagePolter Finance is a decentralized non-custodial lending and borrowing platform. On November 16th, the team started an upgrade to their smart contract. However, the new code had not been audited. There was a price manipulation vulnerability due to ge..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/polterfinanceunauditedcontractpricemanipulation.php}}
{{Unattributed Sources}}

[[File:Polterfinance.jpg|thumb|Polter Finance Logo/Homepage]]Polter Finance is a decentralized non-custodial lending and borrowing platform. On November 16th, the team started an upgrade to their smart contract. However, the new code had not been audited. There was a price manipulation vulnerability due to getting price data from a single oracle trading pair, which could be manipulated. The protocol lasted around 5 hours before it was exploited, and another 8 hours before the team publicly announced that there was an exploit. The team has filed a police report and reached out to the attacker. It's unclear if there is any contingency plan to assist affected users.<ref name="rektnews-16850" /><ref name="polterfinancetwitter-16851" /><ref name="polterfinance-16852" /><ref name="polter-16853" /><ref name="coingecko-16854" /><ref name="polterfinancetwitter-16855" /><ref name="polterfinancetwitter-16856" /><ref name="solidityscanblog-16857" /><ref name="certik-16858" /><ref name="ftmscan-16859" />

== About Polter Finance ==
"Polter is a decentralized non-custodial lending and borrowing platform where depositors earn a percentage of the interest charged for borrowing.

Since the cessation of the $GEIST platform on Fantom chain, there has been a demand for something similar to be available to the community. $POLTER was created to satisfy this demand using the same smart contract.

Learning an important lesson from the previous protocol, flash-loans will be disabled on Polter. This will help to minimize risks to users of the platform."

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - Polter Finance Unaudited Contract Price Manipulation
!Date
!Event
!Description
|-
|November 16th, 2024 6:30:00 AM MST
|Approximate Smart Contract Deployment
|The approximate time of the smart contract upgrade deployment.
|-
|November 16th, 2024 11:00:00 AM MST
|Smart Contract Still Running
|The smart contract is still running at 2:00 AM local time in Singapore.
|-
|November 16th, 2024 11:00:30 AM MST
|Time Of Blockchain Transaction
|The estimated time of the blockchain transaction.
|-
|November 16th, 2024 11:30:00 AM MST
|Complaints From Users Start
|Complaints are reported to start being received at 2:30 AM local time in Singapore.
|-
|November 16th, 2024 7:16:00 PM MST
|First Exploit Announcement
|The first exploit announcement is posted on Twitter, which goes over the pausing of the contract and reaching out to some authorities.
|-
|November 17th, 2024 6:07:00 AM MST
|Police Report Tweet
|The Polter Finance founder (whichghost) shares a tweet with a filed police report.
|-
|November 17th, 2024 7:39:00 AM MST
|Negotiation With Hacker
|The team posts an announcement that they have sent a message to negotiate with the hacker.
|-
|November 18th, 2024 7:39:00 AM MST
|No Specific Answers Tweet
|The team posts an announcement they are working with investigator teams and this includes that they will not be answering specific questions.
|}

== Technical Details ==
"The root cause of the exploit lies in the incorrect price validation logic within the AaveOracle contract, which Polter Finance relied on. Specifically, the ChainlinkUniV2Adapter contract used for price fetching contained a flaw in its price validation mechanism."

The protocol's critical mistake? Trusting SpookySwap V2/V3 pool prices for their BOO token oracle - about as secure as using a paper lock on a bank vault.""

"The attacker initiated a flash loan of 269,042 BOO and 1,154,788 BOO tokens from Spooky V2 and Spooky V3 LPs, respectively. This left a minimal amount of BOO tokens on each liquidity pair, causing a drastic price imbalance."

"Using this manipulated spot price, the attacker was able to deposit just 1 BOO token into a Polter lending pool as collateral. Due to a logic flaw in the oracle, the AaveOracle used a flawed price feed that evaluated the 1 BOO token at an inflated value of $1.37 trillion instead of its actual market value."

"The ChainlinkUniV2Adapter contract was used to fetch the current price of the BOO token. However, the contract did not have any safeguards in place to check for drastic price fluctuations resulting from the flash loan. The _fetchPrice function, which retrieves the price data, fetched the manipulated, inflated price from the liquidity pools, which led to the incorrect collateral evaluation."

"The getRoundData() function, used for retrieving historical price data, also failed to validate significant price changes. It relied on the _getPriceAndTimestamp() function to fetch the price, but this function did not have checks in place to detect drastic price fluctuations, such as those caused by the flash loan manipulation."

"As a result, the manipulated price was not validated before being returned. Additionally, the hardcoded answeredInRound = 2 value in the function did not account for whether the price data was accurate for the current round, further allowing the flawed price to pass unchecked."

"The latestRoundData() function, which is supposed to return the most recent price data, was now returning incorrectly inflated prices due to the changes in liquidity caused by the attacker's flash loan. It lacks validation to ensure the retrieved price (answer) is accurate and hasn't been manipulated. It also uses hardcoded values for roundId and answeredInRound, bypassing any dynamic price updates or validation.
The getRoundData() and latestRoundData() functions were supposed to ensure that the price of BOO tokens was consistent and accurate, but they failed to validate the large price changes resulting from the flash loan. The attacker exploited this flaw by providing a small amount of collateral but receiving an inflated price feed in return."

"Additionally, the previousChainlink0Response mechanism, which was supposed to detect whether the price change exceeded a set threshold, failed to do so due to the lack of proper validation. As a result, the inflated price of 1 BOO token passed the oracle's validation checks, leading to the miscalculation of collateral value.
The attacker continued to borrow wFTM tokens against the inflated collateral. As long as the manipulated price was maintained, they could repeat the borrowing process and drain the liquidity pools without limits. The oracle contract failed to detect these repeat borrowings because the price validation was not functioning properly."

"The attacker borrowed 9,134,844 wFTM by using the inflated price of the BOO token as collateral, ultimately draining approximately $8.7 million from the Polter Finance lending pools."

== Total Amount Lost ==
The total amount lost has been estimated at $8,700,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

== Immediate Reactions ==
"On 19/01/2024, | created a cryptocurrency investing lending platform named “Polter Finance” as well as
anew cryptocurrency with the same name. This platform links up lender and borrower for them to stake
the above-mentioned coin for interest. | did not register this company under any countries.

On 16/11/2024, at about 2130hrs, my team and | deployed a smart contract to allow people to borrow an
existing token. The token name is "Boo".

On 17/11/2024, at about 0200hrs, | made a check on the backend of the website, | saw that there is still
having an amount of around $16124400.00/- worth of cryptocurrency in the staking pool.

On 17/11/2024, at about 0230hrs, | saw that some of the community members from Discord commented
that the interest for borrowing money from the platform had spike hence they are unable to borrow any
cryptocurrency from my platform. This is when | found out that something was amiss.

On 17/11/2024, at about 0300hrs, | checked the transactions of the platform and made a check on the
account balance. | saw that there's multiple unauthorized transactions being made to various places.
One of it is to Binance.

Total monetary loss is about $16124400.00/- worth of cryptocurrencies. Most of the cryptocurrencies
belongs to the lenders of the platform.

My personal monetary loss from the transaction is about $300000/- worth of cryptocurrencies.

| wish to state that I did not provide anyone my login details (private keys) and | believed that my
platform's newly deployed smart contract has been exploited, hence causing the unauthorized
transactions."

== Ultimate Outcome ==
"We are actively working with @cryptogle @_SEAL_Org @MatchSystems to find resolution to the $POLTER exploit.

Please understand we cannot answer specific questions right now, but will give another announcement as soon as we are able to."

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-16850">[https://rekt.news/polter-finance-rekt/ Rekt - Polter Finance] (Accessed Nov 21, 2024)</ref>

<ref name="polterfinancetwitter-16851">[https://twitter.com/polterfinance/status/1858142820785439192 @polterfinance Twitter] (Accessed Nov 21, 2024)</ref>

<ref name="polterfinance-16852">[https://polter.finance/ Polter Finance] (Accessed Nov 21, 2024)</ref>

<ref name="polter-16853">[https://polter.gitbook.io/polter Overview | Polter] (Accessed Nov 21, 2024)</ref>

<ref name="coingecko-16854">[https://www.coingecko.com/en/coins/polter-finance https://www.coingecko.com/en/coins/polter-finance] (Accessed Nov 21, 2024)</ref>

<ref name="polterfinancetwitter-16855">[https://twitter.com/polterfinance/status/1858520465649840149 @polterfinance Twitter] (Accessed Nov 21, 2024)</ref>

<ref name="polterfinancetwitter-16856">[https://twitter.com/polterfinance/status/1858158065264324769 @polterfinance Twitter] (Accessed Nov 21, 2024)</ref>

<ref name="solidityscanblog-16857">[https://blog.solidityscan.com/polter-finance-hack-analysis-c5eaa6dcfd40 Polter Finance Hack Analysis. Overview: | by Shashank | Nov, 2024 | SolidityScan] (Accessed Nov 21, 2024)</ref>

<ref name="certik-16858">[https://www.certik.com/resources/blog/2Y6ZeCCClVIhkBlS4GWKEv-polter-finance-incident-analysis https://www.certik.com/resources/blog/2Y6ZeCCClVIhkBlS4GWKEv-polter-finance-incident-analysis] (Accessed Nov 21, 2024)</ref>

<ref name="ftmscan-16859">[https://ftmscan.com/tx/0x5118df23e81603a64c7676dd6b6e4f76a57e4267e67507d34b0b26dd9ee10eac Fantom Transaction Hash (Txhash) Details | FTMScan] (Accessed Nov 21, 2024)</ref></references>

Polter Finance Unaudited Contract Price Manipulation - Revision history