Polter Finance Unaudited Contract Price Manipulation

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Polter Finance Logo/Homepage

Polter Finance is a decentralized non-custodial lending and borrowing platform. On November 16th, the team started an upgrade to their smart contract. However, the new code had not been audited. There was a price manipulation vulnerability due to getting price data from a single oracle trading pair, which could be manipulated. The protocol lasted around 5 hours before it was exploited, and another 8 hours before the team publicly announced that there was an exploit. The team has filed a police report and reached out to the attacker. It's unclear if there is any contingency plan to assist affected users.[1][2][3][4][5][6][7][8][9][10]

About Polter Finance

"Polter is a decentralized non-custodial lending and borrowing platform where depositors earn a percentage of the interest charged for borrowing.

Since the cessation of the $GEIST platform on Fantom chain, there has been a demand for something similar to be available to the community. $POLTER was created to satisfy this demand using the same smart contract.

Learning an important lesson from the previous protocol, flash-loans will be disabled on Polter. This will help to minimize risks to users of the platform."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Polter Finance Unaudited Contract Price Manipulation
Date Event Description
November 16th, 2024 6:30:00 AM MST Approximate Smart Contract Deployment The approximate time of the smart contract upgrade deployment.
November 16th, 2024 11:00:00 AM MST Smart Contract Still Running The smart contract is still running at 2:00 AM local time in Singapore.
November 16th, 2024 11:00:30 AM MST Time Of Blockchain Transaction The estimated time of the blockchain transaction.
November 16th, 2024 11:30:00 AM MST Complaints From Users Start Complaints are reported to start being received at 2:30 AM local time in Singapore.
November 16th, 2024 7:16:00 PM MST First Exploit Announcement The first exploit announcement is posted on Twitter, which goes over the pausing of the contract and reaching out to some authorities.
November 17th, 2024 6:07:00 AM MST Police Report Tweet The Polter Finance founder (whichghost) shares a tweet with a filed police report.
November 17th, 2024 7:39:00 AM MST Negotiation With Hacker The team posts an announcement that they have sent a message to negotiate with the hacker.
November 18th, 2024 7:39:00 AM MST No Specific Answers Tweet The team posts an announcement they are working with investigator teams and this includes that they will not be answering specific questions.

Technical Details

"The root cause of the exploit lies in the incorrect price validation logic within the AaveOracle contract, which Polter Finance relied on. Specifically, the ChainlinkUniV2Adapter contract used for price fetching contained a flaw in its price validation mechanism."

The protocol's critical mistake? Trusting SpookySwap V2/V3 pool prices for their BOO token oracle - about as secure as using a paper lock on a bank vault.""

"The attacker initiated a flash loan of 269,042 BOO and 1,154,788 BOO tokens from Spooky V2 and Spooky V3 LPs, respectively. This left a minimal amount of BOO tokens on each liquidity pair, causing a drastic price imbalance."

"Using this manipulated spot price, the attacker was able to deposit just 1 BOO token into a Polter lending pool as collateral. Due to a logic flaw in the oracle, the AaveOracle used a flawed price feed that evaluated the 1 BOO token at an inflated value of $1.37 trillion instead of its actual market value."

"The ChainlinkUniV2Adapter contract was used to fetch the current price of the BOO token. However, the contract did not have any safeguards in place to check for drastic price fluctuations resulting from the flash loan. The _fetchPrice function, which retrieves the price data, fetched the manipulated, inflated price from the liquidity pools, which led to the incorrect collateral evaluation."

"The getRoundData() function, used for retrieving historical price data, also failed to validate significant price changes. It relied on the _getPriceAndTimestamp() function to fetch the price, but this function did not have checks in place to detect drastic price fluctuations, such as those caused by the flash loan manipulation."

"As a result, the manipulated price was not validated before being returned. Additionally, the hardcoded answeredInRound = 2 value in the function did not account for whether the price data was accurate for the current round, further allowing the flawed price to pass unchecked."

"The latestRoundData() function, which is supposed to return the most recent price data, was now returning incorrectly inflated prices due to the changes in liquidity caused by the attacker's flash loan. It lacks validation to ensure the retrieved price (answer) is accurate and hasn't been manipulated. It also uses hardcoded values for roundId and answeredInRound, bypassing any dynamic price updates or validation. The getRoundData() and latestRoundData() functions were supposed to ensure that the price of BOO tokens was consistent and accurate, but they failed to validate the large price changes resulting from the flash loan. The attacker exploited this flaw by providing a small amount of collateral but receiving an inflated price feed in return."

"Additionally, the previousChainlink0Response mechanism, which was supposed to detect whether the price change exceeded a set threshold, failed to do so due to the lack of proper validation. As a result, the inflated price of 1 BOO token passed the oracle's validation checks, leading to the miscalculation of collateral value. The attacker continued to borrow wFTM tokens against the inflated collateral. As long as the manipulated price was maintained, they could repeat the borrowing process and drain the liquidity pools without limits. The oracle contract failed to detect these repeat borrowings because the price validation was not functioning properly."

"The attacker borrowed 9,134,844 wFTM by using the inflated price of the BOO token as collateral, ultimately draining approximately $8.7 million from the Polter Finance lending pools."

Total Amount Lost

The total amount lost has been estimated at $8,700,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"On 19/01/2024, | created a cryptocurrency investing lending platform named “Polter Finance” as well as anew cryptocurrency with the same name. This platform links up lender and borrower for them to stake the above-mentioned coin for interest. | did not register this company under any countries.

On 16/11/2024, at about 2130hrs, my team and | deployed a smart contract to allow people to borrow an existing token. The token name is "Boo".

On 17/11/2024, at about 0200hrs, | made a check on the backend of the website, | saw that there is still having an amount of around $16124400.00/- worth of cryptocurrency in the staking pool.

On 17/11/2024, at about 0230hrs, | saw that some of the community members from Discord commented that the interest for borrowing money from the platform had spike hence they are unable to borrow any cryptocurrency from my platform. This is when | found out that something was amiss.

On 17/11/2024, at about 0300hrs, | checked the transactions of the platform and made a check on the account balance. | saw that there's multiple unauthorized transactions being made to various places. One of it is to Binance.

Total monetary loss is about $16124400.00/- worth of cryptocurrencies. Most of the cryptocurrencies belongs to the lenders of the platform.

My personal monetary loss from the transaction is about $300000/- worth of cryptocurrencies.

| wish to state that I did not provide anyone my login details (private keys) and | believed that my platform's newly deployed smart contract has been exploited, hence causing the unauthorized transactions."

Ultimate Outcome

"We are actively working with @cryptogle @_SEAL_Org @MatchSystems to find resolution to the $POLTER exploit.

Please understand we cannot answer specific questions right now, but will give another announcement as soon as we are able to."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Polter Finance (Accessed Nov 21, 2024)
  2. @polterfinance Twitter (Accessed Nov 21, 2024)
  3. Polter Finance (Accessed Nov 21, 2024)
  4. Overview | Polter (Accessed Nov 21, 2024)
  5. https://www.coingecko.com/en/coins/polter-finance (Accessed Nov 21, 2024)
  6. @polterfinance Twitter (Accessed Nov 21, 2024)
  7. @polterfinance Twitter (Accessed Nov 21, 2024)
  8. Polter Finance Hack Analysis. Overview: | by Shashank | Nov, 2024 | SolidityScan (Accessed Nov 21, 2024)
  9. https://www.certik.com/resources/blog/2Y6ZeCCClVIhkBlS4GWKEv-polter-finance-incident-analysis (Accessed Nov 21, 2024)
  10. Fantom Transaction Hash (Txhash) Details | FTMScan (Accessed Nov 21, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Polter_Finance_Unaudited_Contract_Price_Manipulation&oldid=6369"