Ola and Voltage Lending Exploit on Fuse: Post Mortem

To the Ola Community and Our Valued Partners:

We want to express our appreciation towards our strong and loyal community for reacting swiftly in bringing the Voltage lending network exploit to our attention. Most importantly, we would like to thank our partners for diligently assisting us in providing timely and factual information to the Fuse community.

As communicated earlier, a few mechanisms were quickly implemented to control the situation. First, we paused borrowing activity on all our lending networks until we were 100% certain that this vulnerability doesn’t apply to any of them. In addition, we paused the minting of new tokens (i.e. supplying tokens) to the lending network to safeguard users seeking high APYs without awareness of the situation. Finally, we changed the lending network’s interest rate models to reflect 0% APY for borrowers and set all RainMaker speeds to 0; this way, borrowers would not pay inflated interest rates as a result of the attack.

Our community and users will always remain our top priority. To that extent, we are working closely with the Fuse team and other external parties to trace the attacker and create a plan to compensate affected users. Additionally, we will reach out to the attacker to negotiate the return of funds in exchange for a bounty. Full details of the compensation plan will be disclosed as soon as everything is finalized, and we appreciate your patience in the meantime.

Summary of Exploit

At approximately 5am on 31st March (UTC +3), The lending network on Fuse blockchain was exploited for 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, and 1,240,000.00 FUSE. The value stolen sums up to ~$4.67M in today’s ETH, BTC and FUSE prices.

Attacker addresses on Fuse chain:

• Contract1: 0x632942c9BeF1a1127353E1b99e817651e2390CFF
• Contract2: 0x9E5b7da68e2aE8aB1835428E6E0c83a7153f6112
• EOA: 0x371D7C9e4464576D45f11b27Cf88578983D63d75

Attacker addresses on Ethereum:

• EOA: 0x371d7c9e4464576d45f11b27cf88578983d63d75
• EOA: 0xbcdb800d77ccaac6597830b026d6af78a1118f42

Attacker addresses on BNB chain:

• EOA: 0x371d7c9e4464576d45f11b27cf88578983d63d75
• EOA: 0xbcdb800d77ccaac6597830b026d6af78a1118f42

Heist Transactions:

• 0xe800f5 → 20 WBTC + 100 WETH stolen
• 0xb8ef27 → 100 WETH stolen
• 0xff4fa7 → 100 WETH stolen
• 0xf06a9b → 100 WETH stolen
• 0xb53582 → 100 WETH stolen
• 0xf1ac95 → 52.094 WETH stolen
• 0x719ec1 → 6.246 WBTC stolen
• 0x0df8dc → 216,964.176 USDC stolen
• 0x1b3e06 → 507,216.676 BUSD stolen
• 0x17883e → 200,000 fUSD stolen (borrowed and then the collateral was stolen)
• 0x822317 → 1,240,000 FUSE stolen (borrowed and then the collateral was stolen)

Details of Attack

The attack used a reentrancy vulnerability in the ERC677 token standard. Analyzing one of the heist transactions, we found the following series of events:

1. Attacker transferred WETH from C1 to C2.
2. Attacker minted oWETH to C2 (transferring WETH to the oWETH contract).
3. Attacker borrowed XXX token to C2 from the oXXX contract.
4. Since XXX is an ERC677, a callback function was called on C2 during the transfer of XXX from oXXX to C2. In this callback, the attacker transferred the oWETH from C2 to C1. This was possible because the state that updates C2’s borrow balance (and would prevent the transfer of the oWETH) was not updated yet.
5. Since C1 had no borrow balance it could redeem the oWETH back to WETH.
6. The attacker ended up with both the WETH used as collateral to borrow the XXX token and the XXX token they borrowed.

To steal fUSD and FUSE (which are not ERC677), the attacker used the WETH they had already stolen to mint oWETH and borrow all available fUSD and FUSE tokens. Then, they took advantage of the same reentrancy vulnerability to retrieve back the WETH they had just deposited and used as collateral to borrow the fUSD and FUSE.

In the first heist transaction, the attacker took a 515 WETH flash loan from the WETH-WBTC pair on Voltage.Finance to fund the attack. In later transactions, the attacker avoided a flash loan by using the funds that had already been stolen.

Next steps

We will publish a detailed report on all the tokens listed across all the lending networks that confirms this attack can not be replicated on other lending networks. To do so, we will investigate each token’s “transfer” logic to make sure no problematic token standards are in use. In addition, every lending network creator will be provided the capability of quickly pausing the minting and borrowing of tokens on their lending networks.

Later on, we will publish a patch that will allow for Compound forks to safely list tokens that adhere to the ERC677/ERC777 standards. Until then, borrowing and lending for the lending network on Fuse will be temporarily disabled; users with borrowed assets are not accumulating interest and are encouraged not to repay their loans at this time (as they are unlikely to be able to withdraw their collateral). Once this patch is thoroughly tested and audited, full borrowing and lending capabilities on Voltage will resume.

In the coming days, we will release a formalized compensation plan detailing the distribution of funds to affected users. This will be accompanied with additional articles outlining the “next steps” we will be taking in more depth. We thank our partners for their support in analyzing this attack and helping us come to a swift resolution.