In November 2024, Polter Finance, a DeFi lending protocol hosted on Fantom, was the victim of a hack. The attacker took advantage of a price manipulation vulnerability in the protocol’s smart contracts to drain an estimated $8.7 million from the project.
Inside the Attack
Polter Finance’s smart contract was largely a copy-paste of the Geist protocol. For this reason, the team didn’t perform a security audit of their protocol, instead providing a copy of the one from the Geist contract to its users.
This was especially problematic since the protocol included a simple price oracle manipulation vulnerability. Instead of using a trusted source for the price of its BOO token, the smart contract used the spot price from the SpookySwap V2/V3 pool for the token.
Relying on spot prices made the protocol vulnerable to oracle manipulation via flashloans. The attacker took out a large flashloan, altering the token balance in the SpookySwap pool and changing the perceived price of the BOO token. Then, the attacker could deposit some BOO into the protocol and take out a massive loan using the inflated price of the deposited tokens as collateral.
With this malicious loan, the attacker was able to drain approximately $8.7 million from the protocol. However, in the aftermath of the incident, the Polter Finance team filed a police report claiming that the losses totaled $12 million. The team also froze the protocol to prevent any further attacks and attempted to negotiate a bug bounty on-chain with the attacker.
Lessons Learned from the Attack
The vulnerability exploited in the Polter smart contract is a classic example of an oracle manipulation vulnerability. Reliance on spot prices for tokens is always dangerous because these values can be manipulated by a flashloan.
In this case, the attacker was able to artificially inflate the perceived value of the BOO token by draining it from the pool used to calculate the token price. This meant that the BOO tokens that they later deposited into the contract were massively overvalued, allowing them to take out far too much in a loan that used them as collateral.
As the Polter Finance hack demonstrates, even copying code from an audited protocol doesn’t mean that a project is free of vulnerabilities. Before launching any code on-chain, it’s important to undergo a comprehensive security audit. To learn more about how to protect your project, get in touch with Halborn.