Fuse Lending, an implementation of lending protocol Ola Finance on Fuse Network, suffered a hack today. In the incident, the attacker pocketed an estimated $3.6 million in various assets.
The incident involved a common issue known as a reentrancy bug, a smart contract vulnerability that enables hackers to make repeated calls to a protocol in order to steal assets. Just a few weeks ago, two DeFi protocols on Gnosis Chain – Hundred Finance and Agave – lost customer funds amounting to more than $11 million in flash loan attacks resulting from reentrancy bugs.
Security firm PeckShield told The Block that the hacker started by first borrowing funds using their own collateral. After that, taking advantage of the reentrancy vulnerability within Fuse Lending's smart contracts, the hacker was able to remove the collateral without repaying the loan they took. The perpetrator then repeated the same process on other Fuse Lending pools to make off with $3.6 million in total.
After draining the funds, the perpetrator transferred them from Fuse Network to other blockchains – BNB Chain and Ethereum – via Fuse’s own cross-chain bridge. Of the total loot, it is reported that the hacker holds $3 million on Ethereum and another $637,000 on BNB Chain.
Ola Finance said it's still investigating the incident and promised to come out with a post-mortem report soon. Fuse Lending remains paused to control the damage. The project noted its lending services on other blockchains were unaffected in the incident.
Update: This article has been amended to clarify that Fuse Lending was affected rather than Ola Finance itself.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.