Polter Finance Drained of Most Funds in Massive Exploit
Polter Finance, a decentralised lending platform on the Fantom blockchain, was severely impacted by a flash loan exploit on 18 November, resulting in the loss of over $7 million.
đšALERTđš@PolterFinance has reported an exploit on the #Fantom chain. Over $7M in digital assets have been stolen!
Transaction: https://t.co/2sFDXiLkpm
đ° The attacker was originally funded via @TornadoCash on #Ethereum, with funds later bridged to #Fantom.
The team has taken⊠https://t.co/dYgVzDdsoh pic.twitter.com/N1u5sh7BPf
â đš Cyvers Alerts đš (@CyversAlerts) November 18, 2024
Blockchain analyst Nick Franklin confirmed that the attack was a classic example of price manipulation using the platform's token pricing mechanisms.
The attacker first funnelled funds through Tornado Cash, a coin mixer that obfuscates fund origins, before bridging the assets to the Fantom network.
Once on Fantom, the attacker manipulated the price of the SpookySwap governance token (BOO) by borrowing nearly all BOO tokens from the liquidity pool, causing the token's price to spike.
With the price inflated, the attacker deposited just one BOO token and drained the liquidity pools of $9.1 million in wrapped Fantom tokens, profiting $7.8 million.
Further attacks followed, targeting other tokens, including Magic Internet Money (MIM), sFTMX, Axelar USDC, and Bitcoin.
Estimates suggest the total loss may have exceeded $12 million.
Very very classic oracle issue. As you can see from picture, BOO token price is very high. Why? BOO token price is calculated using Spooky LP token state. This can be easily manipulated using flashloan. At the beginning of the attack, hacker borrowed almost all BOO tokens from https://t.co/MGkrsBsmpw pic.twitter.com/kdSJilOdZr
â Nick L. Franklin (@0xNickLFranklin) November 18, 2024
While Franklin did not speculate on how the attacker repaid the flash loan, it is possible they purchased additional BOO tokens from other pools at a lower price.
The incident serves as a stark reminder of the risks associated with platforms that rely on low liquidity tokens, which are particularly vulnerable to price manipulation in DeFi ecosystems.
Polter Finance Took Action
Upon identifying the breach, Polter Finance swiftly paused its platform to mitigate further damage and alerted key bridge operators.
The pseudonymous founder, "Whichghost," filed a police report in Singapore and has been in direct communication with the attacker in an effort to negotiate a resolution.
the following is the police report filed regarding @polterfinance exploit $POLTER pic.twitter.com/1PycJIrbZV
â whichghost đ„ | Polter Finance (@whichghost) November 17, 2024
The exploit, which stemmed from a vulnerability in the platform's newly deployed smart contract, drained user assets, with reported losses exceeding 16.1 million SGD (approximately $12 million USD).
However, some Web3 security firms estimate the actual amount stolen was closer to $7 million.
In addition to the platform's losses, Whichghost personally reported a loss of $223,219 in addition to attaching a post mortem link on Discord.
attaching the post mortem link from discord here https://t.co/peEU6T1H5M
â whichghost đ„ | Polter Finance (@whichghost) November 17, 2024
In a statement posted on X (formerly known as Twitter), Polter Finance revealed that the stolen funds were traced to wallets linked to Binance.
The platform was paused soon after the exploit was identified.
Bridges were notified.
We identified wallets involved and traced it to Binance.
We are still investigating the nature of the exploit.
We are in the processing of contacting the Authorities.
â polterfinanceđ„ (@polterfinance) November 17, 2024
The team also sent an on-chain message to the attacker, offering to negotiate the return of the funds without legal action.
We are formally reaching out on-chain to the exploiter regarding the $POLTER exploit. pic.twitter.com/XKrYlahaSx
â polterfinanceđ„ (@polterfinance) November 17, 2024
This move underscores the platform's efforts to recover the stolen assets while minimising legal escalation.
Industry Experts Weigh in
Web3 security experts believe the exploit stemmed from a price manipulation attack involving oraclesâexternal data feeds used by platforms to determine token values.
According to findings shared by smart contract audit firm QuillAudits, the vulnerability was tied to how Polter Finance calculated the value of the SpookySwap BOO token.
QuillAudits said:
âThe price of the SpookySwap BOO token in the lending pool was determined by the spot price from the SpookySwap v3 pool and v2 pair; calculated based on the token balance ratio in the pool.â
By artificially inflating the price of BOO, the hacker was able to deposit a minimal amount (just one BOO token) and withdraw significantly larger sums in other assets, effectively draining the platform.
Hakan Unal, Senior Blockchain Scientist at Cyvers Ai, noted:
âThis case exemplifies a classic Oracle manipulation exploit. The BOO token price is manipulated by the attacker using a flash loan to artificially inflate the BOO token's price.â
In response, Polter Finance has partnered with the Security Alliance Information Sharing and Analysis Center (SEAL-ISAC) to track down the attacker and recover the stolen funds.
We are actively working with @cryptogle @_SEAL_Org @MatchSystems to find resolution to the $POLTER exploit.
Please understand we cannot answer specific questions right now, but will give another announcement as soon as we are able to.
â polterfinanceđ„ (@polterfinance) November 18, 2024
