Fuse Lending suffers $3.6 million hack on Fuse Network

Quick Take

  • Fuse Lending has lost $3.6 million to an attack on its lending product.
  • An unknown hacker took advantage of a reentrancy vulnerability in the protocol’s smart contract.

Fuse Lending, an implementation of lending protocol Ola Finance on Fuse Network, suffered a hack today. In the incident, the attacker pocketed an estimated $3.6 million in various assets.

The incident involved a common issue known as a reentrancy bug, a smart contract vulnerability that enables hackers to make repeated calls to a protocol in order to steal assets. Just a few weeks ago, two DeFi protocols on Gnosis Chain – Hundred Finance and Agave – lost customer funds amounting to more than $11 million in flash loan attacks resulting from reentrancy bugs. 

Security firm PeckShield told The Block that the hacker started by first borrowing funds using their own collateral. After that, taking advantage of the reentrancy vulnerability within Fuse Lending's smart contracts, the hacker was able to remove the collateral without repaying the loan they took. The perpetrator then repeated the same process on other Fuse Lending pools to make off with $3.6 million in total. 

After draining the funds, the perpetrator transferred them from Fuse Network to other blockchains – BNB Chain and Ethereum – via Fuse’s own cross-chain bridge. Of the total loot, it is reported that the hacker holds $3 million on Ethereum and another $637,000 on BNB Chain.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy