Decentralized lending platform Polter Finance suffered a devastating exploit on the Fantom blockchain, essentially erasing most of its assets.
The flaw, discovered early on Sunday, involved manipulation of the platform’s token pricing mechanisms, leaving its users reeling.
The attacker began by routing funds through Tornado Cash, an Ethereum-based coin mixer that conceals the origin of the funds. These assets were then bridged – transferred from Ethereum to the Fantom network – where the exploit was executed.
Once the breach was identified, Polter Finance took immediate action by suspending its platform to contain the damage and notified major bridge operators.
The pseudonymous founder of Polter Finance, known as “Whichghost”, filed a police report in Singapore following the breach. The hack resulted in losses exceeding SGD16.1 million (approximately US$12 million).
The newly deployed smart contract on the platform was exploited, causing users’ assets to be lost through unauthorized transactions, the report said. The founder also reported personal losses of $223,219.
While the police report lists total losses of around $12 million, other reports from Web3 security companies suggest the actual amount stolen was closer to $7 million.
According to data from DeFi Llama, Polter Finance’s TVL stood at around $9.7 million before the attack, indicating substantial losses.
In a statement on X (formerly Twitter), the team wrote: “We have identified the wallets involved and traced it back to Binance. We are still investigating the nature of the exploit. We are in the process of contacting the authorities.
The platform was paused shortly after the exploit was identified.
The bridges have been warned.
We identified the wallets involved and traced it back to Binance.
We are still investigating the nature of the exploit.
We are in the process of contacting the authorities.–polterfinance💥 (@polterfinance) November 17, 2024
The platform also sent a chain message to the attacker, claiming that the team would be willing to negotiate without taking legal action if the stolen funds were returned.
Web3 security experts believe the root cause of the exploit is related to a price manipulation attack using oracles, external data feeds that platforms use to determine token prices.
Smart contract auditing firm QuillAudits shared its findings with Decrypt which shows that the vulnerability was related to how Polter Finance calculated the value of the SpookySwap BOO token.
“The price of the SpookySwap BOO token in the lending pool was determined by the spot price of the SpookySwap v3 pool and v2 pair; calculated based on the token balance ratio in the pool,” QuillAudits said Decrypt.
By artificially increasing the price of the BOO token, the hacker could deposit a very small amount (just 1 BOO token) and withdraw a much larger amount of other assets, thereby emptying the platform of its funds.
“This case illustrates a classic exploit of Oracle manipulation. The price of the BOO token is manipulated by the attacker using a flash loan to artificially inflate the price of the BOO token,” said Hakan Unal, Senior Blockchain Scientist at Cyvers Ai. Decrypt.
Polter Finance announced that it has since worked with the Security Alliance Information Sharing and Analysis Center (SEAL-ISAC) to track down the hacker.
This incident adds to the growing list of security breaches in the crypto industry. The total amount lost to exploits surpassed $2 billion in 2024 alone, with code vulnerabilities causing $39.6 million in losses across 44 incidents, according to a recent Certik report.
Edited by Stacy Elliott.
Daily debriefing Newsletter
Start each day with the biggest news stories of the day, plus original features, a podcast, videos and more.
