Ola Finance (a DeFi lending protocol) has acknowledged that it suffered from a hacker exploit on March 31, resulting in the loss of $3.7M worth of digital assets.
How The Attack Happened
A report by blockchain security firm (PeckShield) showed that the hacker exploited a bug in one of the protocol’s smart contracts to carry out the attack. The report came about because Ola Finance had sought the services of Peckshield in identifying the cause of the attack. This attack is the latest in a series of attacks affecting the DeFi sector.
Earlier in the week, another DeFi project (Axie Infinity’s Ronin blockchain) suffered an attack that resulted in the loss of $650m. Many industry watchers have described the attack on the Ronin network as one of the biggest in the DeFi sector’s short history.
Even though the amount lost in this Ola Finance exploit was small compared to the amount lost in the Ronin network attack, it still shows investors’ willingness to invest in little-known projects. A DeFi llama data claimed that this attack was carefully planned towards the time of Ola Finance’s blockchain deployment across the Fuse network.
The fuse network is an EVM-compatible blockchain with about $13B in TVL before the attack. The first sign of the attack was some fund withdrawals through tornado cash. Criminals often use tornado cash to stash their stolen crypto because the platform allows them (and any other user) to transfer digital assets anonymously.
After completing the transfer to the Fuse network, the criminal used the funds as collateral and obtained loans through Ola’s decentralized lending protocol. Then, the attacker capitalized on the re-entrancy bug to withdraw the collateral without repaying the loan amount. The hacker repeated these steps severally across various Ola pools. After withdrawing all the funds, the hacker moved those funds to unidentified Ethereum and BNB chain wallets.
Consequently, Ola has temporarily suspended its services from the Fuse network. A tweet from the protocol’s official Twitter account states that it would soon release a detailed version of the hacker exploit. The tweet further states that its services on other blockchains will remain functional since they weren’t affected by this hacker exploit.
Similar Attacks And Solutions To Prevent A Recurrence
This Ola Finance re-entrancy attack isn’t the first to happen in recent times, and it isn’t the largest either. About fourteen days ago, two gnosis-built DeFi lending projects suffered re-entrancy attacks. Also, the 2016 DAO attack is a type of re-entrancy attack. It was so huge that an Ethereum network upgrade became necessary and was executed.
Crypto insurance is one of the proposed solutions to resolve this issue. Sadly, no DeFi project has taken the necessary steps to have this insurance despite the continued loss of investors’ funds. Smart contract insurance is the best option for these DeFi projects. Investors might need to start demanding it from DeFi projects seeking investors’ funds so that these DeFi projects can take crypto-insurance seriously.