- Ola Finance has lost $3.6 million to an attack on its lending product on Fuse Network.
- An unknown hacker took advantage of a reentrancy vulnerability in the protocol’s smart contract.
Lending protocol Ola Finance suffered a hack today on Fuse Network, one of the many blockchains it operates on, with the attacker pocketing an estimated $3.6 million in various assets.
The incident involved a common issue known as a reentrancy bug, a smart contract vulnerability that enables hackers to make repeated calls to a protocol in order to steal assets. Just a few weeks ago, two DeFi protocols on Gnosis Chain – Hundred Finance and Agave – lost customer funds amounting to more than $11 million in flash loan attacks resulting from reentrancy bugs.
Security firm PeckShield told The Block that the Ola Finance hacker started by first borrowing funds using their own collateral. After that, taking advantage of the reentrancy vulnerability within Ola’s smart contracts, the hacker was able to remove the collateral without repaying the loan they took. The perpetrator then repeated the same process on other Ola Finance pools to make off with $3.6 million in total.
After draining the funds, the perpetrator transferred them from Fuse to other blockchains – BNB Chain and Ethereum – via Fuse’s own cross-chain bridge. Of the total loot, it is reported that the hacker holds $3 million on Ethereum and another $637,000 on BNB Chain.
Ola Finance said it’s still investigating the incident and promised to come out with a post-mortem report soon. Ola’s decentralized lending product on Fuse Network remains paused to control the damage. The project noted its lending services on other blockchains were unaffected in the incident.