Ola Finance Exploit

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Ola Finance

Ola Finance offers a service which allows others to launch decentralized lending platforms. There was a reentrancy exploit in the smart contract which was exploited by an attacker to take a significant amount of funds. The attacker was unable to be reached to negotiate the return of the funds, however the Ola Finance developers have agreed to put in place a compensation scheme for those affected users.

This is a global/international case not involving a specific country.

About Ola Finance

"A decentralized protocol for programmable lending." "Ola Finance is a Lending-as-a-Service platform that allows anyone to create their own branded lending network at the click of a button. Each Lending Network (LeN) consists of a number of different tokens, determined by the network creator, which can be lent and borrowed."

"Ola's goal is to create an inclusive lending protocol within DeFi where assets can be listed without needing to pass cumbersome and expensive governance schemes or comply with numerous requirements (deep liquidity, high trading volumes, low volatility, etc.). Ola supports all kinds of assets: from early-stage governance tokens to different stablecoins and backed assets, all the way to exotic receipt tokens."

"Ola Finance is not another Compound or Aave. Rather, Ola is a technology provider that enables others to build Compound-like instances governed and controlled by the creator."

"Initially launched as “Fuse Lending Network’’, the key benefit for Fuse was to have lending launched on the platform without needing to internalize the resources typically needed for this type of implementation."

"The collaboration with Fuse entails Ola Finance managing smart contract architecture and implementation as well as integrations that are core to the Ola platform such as price oracles. The creator, Fuse in this case, makes decisions about lending network configurations, including which tokens to list and parameters to set, such as collateral and liquidation factors within fixed ranges set by Ola Finance. Both parties benefit from the collaboration via a revenue sharing model."

"In summer 2021 the process of integrating Ola into Voltage Finance (formerly FuseFi) began. Voltage Finance is the first all in one DeFi platform on Fuse Network, created by the Fuse Foundation and later spun out into an independent DAO in March 2022. Voltage Finance featured available lending assets’ data and APYs, requiring the user to redirect to the Ola platform in order to execute lending and borrowing orders. Full integration allowing the user to lend and borrow directly on Voltage Finance was part of the roadmap."

"On April 1, decentralized lending protocol Ola Finance also suffered an exploit that allowed hackers to grab $3.6 million worth of cryptocurrencies from the platform."

"The exploit occurred at around 2am UTC on 31st March. The value stolen summed up to ~$4.67M at the time of the attack in ETH, BTC and FUSE prices: 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, 1,240,000.00 FUSE." "At approximately 5am on 31st March (UTC +3), The lending network on Fuse blockchain was exploited for 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, and 1,240,000.00 FUSE. The value stolen sums up to ~$4.67M in today’s ETH, BTC and FUSE prices."

"The initial funds to launch the hack are withdrawn from @TornadoCash and tunneled to Fuse network via Fuse Bridge."

"The hack is made possible due to the incompatibility between Compound fork and ERC677/ERC777-based tokens, which have the built-in callback functions misused to allow for reentrancy to drain the lending pool." "The attack used a reentrancy vulnerability in the ERC677 token standard. Analyzing one of the heist transactions, we found the following series of events:"

"(1) Attacker transferred WETH from C1 to C2."

"(2) Attacker minted oWETH to C2 (transferring WETH to the oWETH contract)."

"(3) Attacker borrowed XXX token to C2 from the oXXX contract."

"(4) Since XXX is an ERC677, a callback function was called on C2 during the transfer of XXX from oXXX to C2. In this callback, the attacker transferred the oWETH from C2 to C1. This was possible because the state that updates C2’s borrow balance (and would prevent the transfer of the oWETH) was not updated yet."

"(5) Since C1 had no borrow balance it could redeem the oWETH back to WETH."

"(6) The attacker ended up with both the WETH used as collateral to borrow the XXX token and the XXX token they borrowed."

"(7) To steal fUSD and FUSE (which are not ERC677), the attacker used the WETH they had already stolen to mint oWETH and borrow all available fUSD and FUSE tokens. Then, they took advantage of the same reentrancy vulnerability to retrieve back the WETH they had just deposited and used as collateral to borrow the fUSD and FUSE."

"In the first heist transaction, the attacker took a 515 WETH flash loan from the WETH-WBTC pair on Voltage.Finance to fund the attack. In later transactions, the attacker avoided a flash loan by using the funds that had already been stolen." "The gains [were] tunneled via Fuse Bridge and currently funds still stay in the hacker’s account."

Ola Finance said on Twitter at the time: "We are investigating an exploit that took place on the @Fuse_network LeN. All other lending networks remain unaffected, and we have pre-emptively paused borrowing capabilities to mitigate any risk."

"[A] few mechanisms were quickly implemented to control the situation. First, we paused borrowing activity on all our lending networks until we were 100% certain that this vulnerability doesn’t apply to any of them. In addition, we paused the minting of new tokens (i.e. supplying tokens) to the lending network to safeguard users seeking high APYs without awareness of the situation. Finally, we changed the lending network’s interest rate models to reflect 0% APY for borrowers and set all RainMaker speeds to 0; this way, borrowers would not pay inflated interest rates as a result of the attack."

"In this joint blog post we aim to provide a complete overview of events concerning the very unfortunate exploit which took place on 31st March leading to the theft of over $4 million and plans to make amends to those affected."

"As of writing, the stolen funds are still being held by the attacker on Ethereum and BNB Chain. Legal authorities have been alerted and we are working to prohibit the attacker from making any legal use of funds."

"An attempt was made to establish contact with the hacker via data input on an Ethereum transaction on Thursday 31st March following the exploit. As of yet we have received no communication from him/her."

"Important lessons have been learned about the importance of taking a step back to consider risk during periods of rapid growth. We are convinced that the entire, collective community will come out of this stronger than ever. We’re more galvanized than ever in our mission to take DeFi mainstream. We also realize that, whilst unfortunate events like this can occur when battle-testing cutting-edge technology, making user safety a number one priority is crucial to the industry’s long-term success."

"We are providing our partners the ability to pause money markets in their lending network. When activated, this will temporarily stop the ability to supply and/or borrow additional tokens from a market. This feature will not affect any current positions, including a user’s ability to repay loans or withdraw collateral. Pausing functionalities can halt an attacker in the midst of draining a market, thus preventing additional funds from being stolen. The ability to call this function will only be given to whitelisted addresses."

"We will release a report analyzing the token transfer logic of all tokens currently used in our partners’ lending networks. In addition, we will continue to update this report for tokens listed by network owners in the future to ensure there are no vulnerabilities presented within a token’s contract. This report will be publicly listed on Ola Finance’s Gitbook."

"The Ola and Fuse teams are working on a UI to facilitate the distribution of funds and will share access to the UI once complete." "We have collected final data concerning those affected by the attack and have developed a joint compensation plan between all parties involved."

"Compensation from Ola Finance will be provided as follows: Ola Finance pledges 400K of its future token distributed over 1 year from the TGE (date to be determined) and split proportionately among victims based on their percentage of the total amount stolen. Ola plans to generate 100M tokens, thereby designating 400K OLA as 0.4% of the total supply to reimburse the victims. While the future price of the Ola token is currently undetermined, victims have the option of receiving immediate compensation by converting their future token options to USDC at the value of $1 per Ola token. Currently, this option is limited to $200,000; however, should demand exceed this, Ola will work to bring in additional funds."

"1/2 Standing together, @ola_finance and @voltfinance remain united in our efforts to compensate users suffering from the latest exploit. All projects accept responsibility and ask our communities to focus on the next steps of growth, rather than assigning blame."

"The lending market will be reinstated as soon as both parties, along with security partners, are confident that ample measures have been taken to mitigate any future risk. The estimated time is 1–2 months."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ola Finance Exploit
Date	Event	Description
March 30th, 2022 8:00:00 PM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $4,670,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

It would be recommended that platforms get at least 2 independent security audits and a third after 6 months of operation. This level of diligence would greatly reduce the risk of an exploit.

We have proposed that platforms fund a collective industry insurance fund, which would then be available to cover losses. The loss amount can be reduced by having the majority of funds in offline cold storage, protected by a multi-signature wallet, until a project is sufficiently established that full coverage is affordable.