PortalFinance Exploited, Hackers Drain it Fantom Chain of $7M

On November 18th, 2024, the decentralized finance (DeFi) PolterFinance, a lending platform operating on the Fantom blockchain, suffered a $7 million drain in digital assets after a hacker exploited their Fantom Chain.

The exploit, detailed in transaction 0x5118df23e81603a64c7676dd6b6e4f76a57e4267e67507d34b0b26dd9ee10eac on ftmscan.com, underscores the critical need for robust security protocols and thorough audits within the DeFi space.

PolterFinance Attack Explained

The hacker attack began with funds originating from Tornado Cash on the Ethereum network. Subsequently, these funds were bridged to the Fantom network, providing the attacker with the necessary capital to execute the exploit on Polter Finance.

Following the identification of the breach, Polter Finance swiftly responded by pausing platform operations to contain the damage. This immediate action, while disruptive to users, proved vital in preventing further losses.

Simultaneously, the team initiated contact with relevant bridge operators, facilitating the tracing of the involved wallets to Binance. Their proactive approach, combined with the ongoing investigation, indicates a commitment to addressing the situation comprehensively.

Furthermore, the team’s communication strategy also involved directly contacting the perpetrator, offering negotiation, and abstaining from legal action in exchange for the return of the stolen funds.

Notably, the precise nature of the exploit remains a subject of ongoing investigation and debate among security researchers. However, alternative analyses suggest that a “faulty oracle price” may have been the root cause.

Market Analysts’ Investigation of the Exploit

An analyst on X says “They experienced a significant exploit following the integration of a new BOO market. Initial assessments suggested a potential “empty market” rounding error, a common vulnerability in decentralized finance (DeFi) protocols.

However, a deeper investigation revealed a more insidious attack vector: manipulating the price oracle. The exploitative transaction, identifiable via the transaction hash [Transaction Hash: ftmscan[.]/tx/0x5118df23e81603a64c7676dd6b6e4f76a57e4267e67507d34b0b26dd9ee10eac], demonstrates a critical flaw in the protocol’s reliance on external price feeds.

The Polter Finance oracle system, at the time of the attack, relied on the SpookySwap V2/V3 pool for BOO token pricing. This dependency proved fatal, as the attack exploited the inherent vulnerability of such decentralized exchanges (DEXs) to manipulation through flash loans.

According to the source, the hacker leveraged a flash loan to temporarily inflate the price of BOO within the SpookySwap pool. This artificially high price, reported as approximately $1.373783e+18 after accounting for decimal places, was then fed to the Polter Finance oracle.