Polter Finance hit by flashloan attack for $12 million, suspected to be related to SpookySwap oracle bug.

Polter Finance, a decentralized lending platform, officially announced its shutdown on November 17 after a serious attack that caused a loss of approximately $12 million. The attack was carried out via flash loans, targeting a newly deployed smart contract on the SpookySwap (BOO) market. The stolen funds were reportedly transferred through multiple wallets on the Binance exchange.

According to Web3 security firm TenArmor, the attack originated from an oracle bug in the smart contract of the SpookySwap marketplace. This vulnerability allowed the attacker to manipulate the value of assets and illegally withdraw large amounts of money. Notably, the BOO marketplace before the incident only had a total value locked (TVL) of around $3,000, while the damage was as high as $12 million, creating a significant difference in scale.

While Polter Finance has not released specific details about how the attack was carried out, the platform sent an on-chain message to the attacker, offering to negotiate and promising immunity from prosecution if the funds are returned. However, there has been no response from the attacker so far.

Source: Polter Finance

The anonymous founder of Polter Finance, known as Whichghost, filed a complaint with the Singapore police on the day of the incident. The complaint alleges that the total loss is more than S$16.1 million ($12 million), including Whichghost’s personal loss of $223,219. He claims that he did not share his private keys and suspects that a newly deployed smart contract on the platform for the BOO token was exploited.

The incident has sent shockwaves through the DeFi community and raised many questions. On the X platform (formerly Twitter), some have suggested that this could be an insider attack, with the police report being a distraction strategy. To assist in the investigation, Polter Finance is working with the Security Information Sharing and Analysis Center (SEAL-ISAC) to track down the attacker.

Prior to the incident, Polter Finance had a total market cap of around $12 million, including assets such as Fantom, wrapped USD Coin (wUSDC), Magic Internet Money (MIM), and Stader sFTMX. These are some of the notable DeFi platforms in the Fantom ecosystem.