Hacker drains $300,000 from Olympus DAO on Bond Protocol

Quick Take

  • A hacker stole $300,000 from DeFi protocol Olympus DAO in a security exploit today. 
  • The hacker later returned all of the funds following a negotiated deal. 

Update (11 a.m. ET): The hacker has returned all of the stolen tokens following a negotiated deal, a spokesperson from Olympus DAO told The Block.

A hacker drained 30,437 OHM tokens (about $300,000) from one of the smart contracts on Bond Protocol that Olympus DAO operated at 1:22 a.m. ET today. The incident took place because the specific contract failed to properly validate the hacker’s malicious fund transfer request, according to security firm PeckShield.

The affected contract, known as “BondFixedExpiryTeller,” was used to open bonds denominated in the Olympus DAO’s OHM tokens. The contract lacked a validation input in the “redeem() function,” which allowed the attacker to trick input values to redeem funds, PeckShield said. 

In the official Discord, the Olympus team acknowledged the exploit and said: "This morning, an exploit occurred through which the attacker was able to withdraw roughly 30K OHM ($300K) from the OHM bond contract at Bond Protocol.” The team said the rest of $217 million staked on Olympus DAO was safe.

Olympus DAO is a DeFi protocol with a treasury that backs the OHM token. It offers cryptocurrency bonds denominated in vested OHM tokens. The DAO issues OHM tokens at a discount to investors in exchange for their cryptocurrencies, a process designed to increase its treasury over time. 

Headline and report copy updated for clarity.

© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.