OlympusDAO Bond Contract Exploited
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The Olympus protocol is a decentralized financial system supporting OHM, a treasury-backed token on Ethereum. Leveraging mechanisms like Protocol Owned Liquidity and Range Bound Stability, Olympus aims to create robust, censorship-resistant smart money. Despite stablecoins' reliance on centralized assets, Olympus offers an alternative, providing long-term price predictability and reliable liquidity. However, in October 2022, OlympusDAO fell victim to an attack, where a hacker exploited a smart contract vulnerability, stealing 30,000 OHM tokens worth around $292,000. The flaw allowed the attacker to control the redemption process, prompting OlympusDAO to notify users and confirming the exploit on its Discord channel. Fortunately, the hacker returned the stolen assets shortly after.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11]
About OlympusDAO
"The Olympus protocol is a decentralized financial (DeFi) system that supports OHM, a treasury backed, liquidity-enabling token on the Ethereum network. Olympus leverages the mechanisms of Protocol Owned Liquidity (POL), Range Bound Stability (RBS) and Cooler Loans to create a robust, flexible, censorship-resistant, and smart money.
The goal of Olympus is to build a programmatic policy-controlled money that:
Preserves purchasing power via long-term price predictability. Maintains reliable liquidity across decentralized exchanges. Is used as a unit of account (e.g., by being paired against many other decentralized assets) Is utilized as a trusted asset (e.g., to collateralize other assets or deposited into protocols’ treasuries). Is fully decentralized and controlled by the community Is financially flexible, allowing users to borrow the backing against their money"
"Fiat-pegged stablecoins have become an essential part of crypto due to their lack of volatility as compared to tokens such as Bitcoin and Ether. Users are comfortable with transacting stablecoins knowing they hold the same amount of purchasing power today vs. tomorrow. Unfortunately, this is a fallacy. Fiat dollars are controlled by centralized government monetary policy and always decrease in purchasing power (inflation). This depreciation of the dollar also means a depreciation of these stablecoins. Olympus provides an alternative to Web3’s reliance on centralized, censorable stablecoin assets."
"In October 2022, OlympusDAO was the victim of an attack. The attacker exploited a smart contract vulnerability to steal 30,000 OHM tokens." "A malicious actor used a smart contract flaw on Friday, October 21, 2022, to take 30,437 OHM tokens from the Olympus DAO. Following the event, it was discovered that OHM tokens worth roughly $300,000 were stolen by hackers."
"According to Peckshield, the hacker exploited the contract’s “BondFixedExpiryTeller,” inability to validate the transfer request properly. The firm continued, “the related OlympusDAO’s BondFixedExpiryTeller contract has a redeem() function that does not properly validate the input, resulting in ~$292K loss.”"
"The OHM tokens in the Bond Contract could be redeemed by an attacker since the redeem() function accepts tokens without requiring any input validation and gives the attacker the ability to use their own malicious contract. Since the malicious contract will be in the hands of the attacker, they will have complete control over the value they provide for the “amount_” parameter. The attacker, who is represented by msg.sender, will then receive the same number of OHM tokens as a result of this. An attacker may then redeem and transfer all the tokens!"
"The OlympusDAO team confirmed the exploit on its Discord channel, revealing that the attacker drained the funds from the OHM bond contract with Bond Protocol. The protocol also stated that the bug was not found by its auditors, and the attacker could have earned much more if he had reported it via Immunefi."
"The hacker restored the stolen assets to the protocol shortly after, and Olympus DAO notified users in a subsequent update."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| October 13th, 2022 12:39:00 PM MDT | Twitter Report | OlympusDAO tweets to "further stress that this is still a testing period and not the full OHM Bonds release". |
| October 20th, 2022 11:22:47 PM MDT | Exploit Transaction | The exploiter manages to steal 30,437.077948152 OHM. |
| October 21st, 2022 5:16:00 AM MDT | Technical Analysis | PeckShield posts a technical analysis of the exploit. |
| October 21st, 2022 8:29:35 AM MDT | Funds Returned | A blockchain transaction returns 30,437.077948152 OHM. |
| October 21st, 2022 8:48:00 AM MDT | Fund Return Reported | PeckShield reports on the return of funds. |
| October 21st, 2022 10:58:14 AM MDT | CryptoSlate Article | CryptoSlate reports on the hacker returning funds. |
| October 21st, 2022 11:09:24 AM MDT | Reddit Discussion | Discussion posted on Reddit. |
| October 25th, 2022 9:41:00 AM MDT | Range Bound Stability | A range-bound stability smart contract is "on the horizon" with "[t]hree audits". |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
$292k
The total amount lost has been estimated at $292,000 USD.
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
The total amount recovered has been estimated at $292,000 USD.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Stankoman comments on White hat hacker returns $300k gained from OlympusDAO exploit (Mar 16, 2023)
- ↑ White hat hacker returns $300k gained from OlympusDAO exploit (Feb 9, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Feb 9, 2024)
- ↑ @peckshield Twitter (Feb 9, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Feb 9, 2024)
- ↑ @peckshield Twitter (Feb 9, 2024)
- ↑ @OlympusDAO Twitter (Feb 9, 2024)
- ↑ @OlympusDAO Twitter (Feb 13, 2024)
- ↑ Olympus Docs | Olympus Docs (Feb 13, 2024)
- ↑ Explained: The OlympusDAO Hack (October 2022) (Feb 13, 2024)
- ↑ The Olympusdao Hack Is Detailed October 2022 (Feb 13, 2024)