The tragedy of composability repeats

@0xtarafans and @i2huer

Produced by PNM x Narya Labs (we are hiring👾)

TL;DR

On March 31, 2022, Ola Finance, a decentralized lending protocol on the Fuse network blockchain was hacked with a loss of ~$4.67M. The attacker utilized flash loan to exploit a re-entrancy bug caused by the ERC677 token standard.

Transaction

11 attack transactions exploited the re-entrancy issue to drain tokens from various lending pools in the same pattern. Visit the official post in the reference to get a complete list of the transactions. We list the transactions to be discussed in this post.

Transaction 0x1b3e06b6b310886dfd90a5df8ddbaf515750eda7126cf5f69874e92761b1dc90 - Fuse Explorer

Exploit

A functional PoC of the hack reconstructed by PNM

postmortem/2022/ola at main · PwnedNoMore/postmortem

1 Vulnerability

1.1 Background

The lending protocol of Ola Finance is derived from a fork of Compound on the Fuse network. The lending pool for each token is implemented as a cToken smart contract. A cToken is ERC-20 compatible. Ola renames cToken as oToken. Nevertheless, we still use cTokens somewhere in this post for convenience, which is not related to Compound at all.

Here is an example: oBUSD, a cToken contract realizing the Ola’s lending pool for Binance USD (BUSD).

CErc20Delegator (0xBaAFD1F5e3846C67465FCbb536a52D5d8f484Abc) - Fuse Explorer

CErc20DelegateV0_02 (0xd3f5070d524780CD204AF5A64d6B7D722F686729) - Fuse Explorer