Ola — Voltage Exploit on Fuse Network: Transparency Report, Compensation Plan and Future steps.

Joint Medium post from the teams at Ola Finance, Voltage and Fuse.

In this joint blog post we aim to provide a complete overview of events concerning the very unfortunate exploit which took place on 31st March leading to the theft of over $4 million and plans to make amends to those affected. It will also help community members and those interested to understand the relationship between Fuse/Voltage Finance and Ola Finance moving forward and our commitment to continued collaboration in order to make DeFi easier and more inclusive.

Ola Finance is a Lending-as-a-Service platform that allows anyone to create their own branded lending network at the click of a button. Each Lending Network (LeN) supports a number of different tokens, determined by the network creator, which can be lent and borrowed. Initially launched as “Fuse Lending Network’’, the key benefit for Fuse was to have lending launched on the platform without needing to internalize the resources typically needed for this type of implementation.

The collaboration with Fuse entails Ola Finance managing smart contract architecture and implementation as well as integrations that are core to the Ola platform such as price oracles. The creator, Fuse in this case, makes decisions about lending network configurations, including which tokens to list and parameters to set, such as collateral and liquidation factors within fixed ranges set by Ola Finance. Both parties benefit from the collaboration via a revenue sharing model.

Voltage — Ola Integration

In summer 2021 the process of integrating Ola into Voltage Finance (formerly FuseFi) began. Voltage Finance is the first all in one DeFi platform on Fuse Network, created by the Fuse Foundation and later spun out into an independent DAO in March 2022. Voltage Finance featured available lending assets’ data and APYs, requiring the user to redirect to the Ola platform in order to execute lending and borrowing orders. Full integration allowing the user to lend and borrow directly on Voltage Finance was part of the roadmap.

All time high lending network TVLs of over $10M were achieved in part thanks to multiple Rainmaker liquidity reward programs funded by the Fuse Foundation, with over 1000 individual wallets interacting with the platform.

The Exploit

The exploit occurred at around 2am UTC on 31st March. The value stolen summed up to ~$4.67M at the time of the attack in ETH, BTC and FUSE prices:

• 216,964.18 USDC
• 507,216.68 BUSD
• 200,000.00 fUSD
• 550.45 WETH
• 26.25 WBTC
• 1,240,000.00 FUSE

Blockchain security firm PeckShield provided an account of the exploit in a tweet; which was made possible due to incompatibility between Compound Finance forks and the ERC677 token standard that is used on Fuse Network. This led to a reentrancy attack which allowed the attacker to drain funds from the lending network before transferring them across the Ethereum and BNB Chain bridges.

More details, including information on the heist transactions and attacker’s wallet addresses can be found in Ola Finance’s blog post which summarizes the exploit.

Tracking of Funds, Bounty and Legal Action

As of writing, the stolen funds are still being held by the attacker on Ethereum and BNB Chain. Legal authorities have been alerted and we are working to prohibit the attacker from making any legal use of funds.

An attempt was made to establish contact with the hacker via data input on an Ethereum transaction on Thursday 31st March following the exploit. As of yet we have received no communication from him/her.

Funds were stolen from a passionate community of individuals and we encourage the attacker to contact hello@voltage.finance and/or hello@ola.finance in order to negotiate a bounty with 10% of the stolen amount being offered.

Strength in Unity

The last week has been tough for the teams involved and especially difficult for those directly impacted by the exploit and the subsequent loss of funds. Important lessons have been learned about the importance of taking a step back to consider risk during periods of rapid growth. We are convinced that the entire, collective community will come out of this stronger than ever. We’re more galvanized than ever in our mission to take DeFi mainstream. We also realize that, whilst unfortunate events like this can occur when battle-testing cutting-edge technology, making user safety a number one priority is crucial to the industry’s long-term success.

As stated in Ola’s post mortem report, a reentrancy protection patch that will allow for Compound forks to safely list tokens that adhere to the ERC677/ERC777 standards is being worked on which will need to undergo rigorous auditing and testing before reestablishing the lending network. The lending market will be reinstated as soon as both parties, along with security partners, are confident that ample measures have been taken to mitigate any future risk. The estimated time is 1–2 months.

As outlined in Ola Finance’s recent security update, other immediate measures are also being taken including providing partners with the ability to pause money markets in urgent situations.

The Fuse and Voltage teams are also working on plans to bolster security, particularly bridge upgrades, improved monitoring, and bounty increases in light of growing TVL on Fuse Network and the increased associated risk. A more detailed long term security roadmap will be communicated in the next few weeks. Voltage Finance will also help with financial costs related to auditing and monitoring of the lending network on an ongoing basis.

Compensation

We have collected final data concerning those affected by the attack and have developed a joint compensation plan between all parties involved.

The Ola and Fuse teams are working on a UI to facilitate the distribution of funds and will share access to the UI once complete. A list of affected wallet addresses and their entitled compensation amounts can be viewed below, with distribution amounts based on the following:

https://docs.google.com/spreadsheets/d/1aU4kn8opUQh_TKzbmUUX5MxaPC9zLn7o/edit#gid=1120906615

Compensation from the Fuse Foundation will be provided as follows:

• 250K USDC split proportionately between victims based on their percentage of the total amount stolen.
• 1 million FUSE distributed over 1 year and split proportionately among victims based on their percentage of the total amount stolen.

Compensation from the Voltage Finance treasury will be provided as follows:

• 250K USDC split proportionately among victims based on their percentage of the total amount stolen.
• 40 million VOLT distributed over 1 year and split proportionately among victims based on their percentage of the total amount stolen.

Compensation from Ola Finance will be provided as follows:

• Ola Finance pledges 400K of its future token distributed over 1 year from the TGE (date to be determined) and split proportionately among victims based on their percentage of the total amount stolen.
• Ola plans to generate 100M tokens, thereby designating 400K OLA as 0.4% of the total supply to reimburse the victims. While the future price of the Ola token is currently undetermined, victims have the option of receiving immediate compensation by converting their future token options to USDC at the value of $1 per Ola token. Currently, this option is limited to $200,000; however, should demand exceed this, Ola will work to bring in additional funds.
• To receive the USDC payout for Ola token options, victims must fill out the following form and join the group embedded within the form: https://docs.google.com/forms/d/e/1FAIpQLSeDGJvqPoGiGEz-WqwrOdYktZmnnkBM5PYE-duXuw5Ni7EQSQ/viewform?usp=sf_link
• The option to sign up for the USDC payout expires June 30th, 2022.

This compensation plan is subject to change if stolen funds are retrieved in the meantime via negotiations with the attacker.