Ola Finance Rolls out Security Revamp
In light of the recent exploit, the Ola team is rolling out a platform-wide security revamp to safeguard all of our partners’ lending networks and allow for continued growth. We are taking immediate action by implementing a few security measures to reduce the impact of potential attacks. In this article, we will explain these new features and illustrate the effect they will have on the platform. Later on, we will publish additional information on further security features.
The first three immediate security measures are as follows:
- Ability to Pause Money Markets
We are providing our partners the ability to pause money markets in their lending network. When activated, this will temporarily stop the ability to supply and/or borrow additional tokens from a market. This feature will not affect any current positions, including a user’s ability to repay loans or withdraw collateral. Pausing functionalities can halt an attacker in the midst of draining a market, thus preventing additional funds from being stolen. The ability to call this function will only be given to whitelisted addresses.
Not only are we providing the functionality, but we will train each of our partners on how and when to properly use this feature. Just as Ola provides the tools for projects to own their own lending network, we provide education on how to best maintain it.
2. Dynamic Adjustment of the ACC (Active Collateral Cap)
A unique parameter that Ola Finance offers over other lending networks is the active collateral cap: an optional constraint that limits the total dollar value available for use as collateral in each money market. This parameter protects networks from attackers who manipulate a collateral asset (either inside or outside of the lending network) to borrow an inflated amount against its illegitimate value.
For example, let’s assume $1M of a token is being used as collateral by honest users, and there is an active collateral cap set at $1.5M. Even if an attacker could manipulate the price of this token to be $1T, they could only borrow against the remaining $500,000 of active collateral allowed for this token. Alternatively, let’s say an attacker is able to perform an infinite mint exploit to increase their holdings — their borrow position would still be limited by the active collateral cap. This measure doesn’t eliminate the risk of bad debt, but heavily restricts it. We will apply this mechanism to assets using a TWAP oracle and will update the active collateral cap dynamically according to market demand.
Note: Lending network assets using a TWAP oracle take their price over a timespan of at least 30 minutes. This is not a new implementation on Ola’s networks, but it protects against price manipulation occurring in the first place due to the costs associated with manipulating a price for such a long period of time.
3. Token Report
We will release a report analyzing the token transfer logic of all tokens currently used in our partners’ lending networks. In addition, we will continue to update this report for tokens listed by network owners in the future to ensure there are no vulnerabilities presented within a token’s contract. This report will be publicly listed on Ola Finance’s Gitbook.
Ola Finance is using the lessons learned from this exploit to upgrade our security practices and strengthen our habits. Conducting proper due diligence remains a priority for our team and we will ensure future growth is not achieved at the expense of security.
