Halborn logotext

// Blog

Explained: The OlympusDAO Hack (October 2022)


Rob Behnke

October 27th, 2022

In October 2022, OlympusDAO was the victim of an attack. The attacker exploited a smart contract vulnerability to steal 30,000 OHM tokens before returning them after an undisclosed deal.

Inside the Attack

OlympusDAO’s OHM Bonds project is still in its early stages. The target of the attack was a smart contract developed by the Bond protocol. This contract was part of a pilot designed to perform price discovery for the tokens.

This smart contract contained a redeem function that did not perform proper input validation before allowing a user to redeem tokens. Due to this lack of validation, the attacker was able to drain approximately $292,000 in tokens from the project.

Ironically, exploiting the vulnerability was not the best choice for the attacker, since OlympusDAO is performing a phased rollout of OHM Bonds and a robust bug bounty program on Immunefi. Reporting the bug and claiming a bounty would actually have given the hacker a higher payout.

Lessons Learned From the Attack

The OlympusDAO incident demonstrates the value of prioritizing security in the DeFi world. The vulnerability in question had not been detected by three security auditors or as part of the Immunefi bounty program. However, OlympusDAO’s choice to slowly roll out the new features meant that the impact of the attack was limited even before the funds were returned.

Security audits, bug bounties, and similar best practices can be essential to protecting blockchain projects against costly hacks. Want to learn more? Reach out to Halborn’s blockchain security experts at halborn@protonmail.com.