Polter Finance, a decentralized lending platform, had to cease operations after being attacked, resulting in nearly all assets on the platform being stolen. Total estimated damages reached up to 16.1 million Singapore dollars (equivalent to 12 million USD), according to reports from the founding team.



Incident details:



1. How the attack occurred:


• The hacker exploited a vulnerability in the pricing mechanism of the BOO token of Polter Finance, an asset traded on the SpookySwap platform.


• Through Oracle Manipulation (price manipulation attack via Oracle), the attacker used a flash loan to inflate the price of the BOO token, then executed transactions to withdraw a large amount of assets from the platform.


2. Attack journey:


• The attacker initially used Tornado Cash, a coin mixing tool on Ethereum, to obscure the origin of the funds.


• The money was then bridged to the Fantom network, where the security vulnerability in the smart contract was exploited.


3. Damages:


• According to reports, the hacker withdrew over $7-12 million, depleting the TVL (Total Value Locked) of Polter Finance from $9.7 million before the hack.


• The anonymous founder of Polter, Whichghost, also suffered a personal loss of approximately $223,219.


4. Actions from Polter Finance:


• The platform has temporarily suspended operations to control damages and notify bridge providers.


• Polter sent an on-chain message to the hacker, proposing to negotiate the return of funds without legal action.


• At the same time, they are cooperating with SEAL-ISAC to trace the attacker.



Root cause:



• According to the security audit company QuillAudits, the issue lay in how Polter Finance calculated the price of the BOO token based on the token ratio in liquidity pairs on SpookySwap (v3 and v2).


• This allowed the attacker to use a flash loan to increase the price of BOO and withdraw assets worth many times the actual value.



Impact and lessons learned:



1. Impact on the crypto industry:


• This hack is a prime example of security vulnerabilities in DeFi platforms. According to reports from Certik, total damages from hacks in the crypto industry have exceeded $2 billion in 2024, with over 44 incidents related to code errors.


2. Lessons learned:


• The use of unsafe Oracles can lead to serious vulnerabilities. Projects need to conduct strict security audits and optimize smart contracts before deployment.



Conclusion:



The Polter Finance hack is not only a cautionary lesson for blockchain developers but also warns investors to be cautious when participating in unverified DeFi platforms.