Polter Finance Suffers $12 Million Oracle Manipulation Exploit

Polter Finance Suffers $12 Million Oracle Manipulation Exploit

Polter Finance, a decentralized finance (DeFi) platform on the Fantom network, was hacked for $12 million in an oracle manipulation exploit targeting its newly launched SpookySwap ($BOO) token lending market. The attack highlights the ongoing vulnerabilities in DeFi protocols, especially those tied to faulty oracle implementations.

Details of the Exploit

On November 17, the attacker executed a flash loan attack to manipulate the price of the $BOO token, the governance token of SpookySwap. By artificially inflating $BOO's value, the attacker was able to drain Polter Finance’s liquidity pools of their total value locked (TVL).  

The drained funds included a mix of tokens, including $7.87 million in Fantom (FTM), $1.03 million in wrapped USD Coin (USDC), $2.1 million in Stader sFTMX, and $251,000 in Magic Internet Money (MIM).

The exploited $BOO token market had a valuation of only $3,000, underscoring the disproportionate impact of the attack.

Platform Response and Community Reaction

The pseudonymous founder of Polter Finance, known as Whichghost, quickly responded to the incident. He informed users that operations on the platform were paused to contain further damage. Also, a police report was filed with Singaporean authorities, with Whichghost's identity authenticated via Singpass, Singapore's national digital identity system.

The stolen funds were traced to wallets on the Binance exchange. And Polter has reached out to the attacker via on-chain messaging, offering to negotiate the return of funds with potential impunity. At the time of writing, the attacker had not responded to these outreach efforts. Meanwhile, critics on social media expressed skepticism, with some speculating the hack could involve insider activity. Filing a police report, they argued, may divert attention from internal scrutiny.

Security Investigations Underway

The attack leveraged vulnerabilities in Polter’s oracle pricing system. Security firms confirmed the exploit involved a price-related flash loan attack. Polter has since partnered with the Security Alliance Information Sharing and Analysis Center (SEAL-ISAC) to aid in tracking down the attacker and recovering stolen funds. Despite these measures, the incident has raised questions about the platform’s risk management, given the size of the exploit relative to the $BOO market valuation.

Furthermore, the founder disclosed personal losses of over $223,000 as part of the $12 million hack. In the police report, they stated: “I did not provide anyone with my private keys. I believe the newly deployed smart contract for $BOO token lending was exploited, leading to unauthorized transactions.”

What’s Next for Polter Finance?

The hack represents a significant blow to Polter Finance and its community. While the platform has taken immediate steps to investigate and respond, the event underscores the importance of robust security practices, especially around oracle pricing mechanisms in DeFi. As DeFi continues to expand, this exploit serves as a cautionary tale for developers and users alike. Additionally, it shows the need for third-party audits and vigilant monitoring of protocol vulnerabilities.

FAQs

Q1: What is Polter Finance?

A: Polter Finance is a decentralized non-custodial lending and borrowing platform built on the Fantom blockchain.

Q2: How did the hack occur?

A: The attacker exploited a faulty oracle price mechanism through a flash loan, manipulating the $BOO token's value to drain liquidity pools worth $12 million.

Q3: What tokens were stolen in the attack?

A: The stolen assets included $7.87 million in Fantom (FTM), $1.03 million in wrapped USDC, $2.1 million in Stader sFTMX, and $251,000 in Magic Internet Money (MIM).

Q4: Has the hacker been identified or contacted?

A: The stolen funds were traced to Binance wallets, and Polter Finance reached out to the attacker via on-chain messaging to negotiate a return, but no response has been received so far.

Continue reading