Back to all stories
Blogs
Incident Analysis
Polter Finance Incident Analysis
11/18/2024
Polter Finance Incident Analysis

Incident Summary

On 16 November 2024, Polter Finance was exploited for ~$8.7 million, due to a price manipulation exploit. Polter Finance paused their platform shortly after to investigate.

image

The ‘AaveOracle’ contract consulted by Polter Finance lending pools relies on the spot price of two pairs for the price of BOO Token. As a result, the attacker manipulated the token price of BOO to drain multiple lending pools by borrowing against the inflated token price.

Key Transactions

https://ftmscan.com/tx/0x5118df23e81603a64c7676dd6b6e4f76a57e4267e67507d34b0b26dd9ee10eac

Attack Flow

Addresses

Exploiter: 0x511f427Cdf0c4e463655856db382E05D79Ac44a6 Exploit Contract: 0xA21451aC32372C123191B3a4FC01deB69F91533a

Spooky v2 pair: 0xec7178f4c41f346b2721907f5cf7628e388a7a58 Spooky v3 pair: 0xed23be0cc3912808ec9863141b96a9748bc4bd89 Chainlink UniV2Adapter: 0x875d564a6a86f6154592b88f7a107a517f00cc17 PriceFeedV2: 0x80663EDff11e99e8E0B34cb9C3E1fF32E82A80Fe

Victim Pools

pMIM: 0xa826b29d81caef8c9aa212f172ab3ef00566e91e

pWSOL: 0x0299553df0fa396c0f6f3456d293608e189c3cf3

pFTM: 0xbbce4b1513d4285bd7a59c2c63835535151c8e7c

pSFTMX: 0xbbce4b1513d4285bd7a59c2c63835535151c8e7c

pLZ_WETH: 0x328c7a684f160c089ebff07ff1b5a417f024979e

Step by Step

  1. The attacker initiated the exploit with a flashloan of 269,042 BOO and 1,154,788 BOO tokens from Spooky V3 LP 0xEd23 and Spooky V2 LP 0xec71 respectively, which was the balance of each pool. This left only 1e6 wei BOO tokens on both pairs.

polterfinance2

polterfinance3

  1. The attacker deposited 1 BOO token into a Polter lending pool as collateral to borrow against. Implementation 0xD47aE558623638F676C1E38dAd71B53054F54273.

polterfinance4

  1. The attacker borrowed 9,134,844 wFTM. During the validation process, Polter's ‘AaveOracle’ was consulted. This oracle relied on a single liquidity pair to calculate the price of the BOO token.

polterfinance5

It read the current balance of wFTM on pair 0xec71 at 1,828,570 and current BOO token balance at 1e6 wei.

polterfinance6

The 'previousChainlink0Response' also read the current balance due to a incorrect logic.

polterfinance7

polterfinance8

The current balance of wFTM on pair 0xed23 was read at 396,315 and current BOO token had a balance at 1e6 wei. As a result, the 1 BOO token deposited was evaluated at $1,373,782,984,830,617,596, enabling arbitrary borrowing.

  1. The exploiter drained multiple Polter lending pools by borrowing assets repeatedly.

Vulnerability

In this incident, the ‘AaveOracle’ consulted by Polter lending pools relied on the spot price of two pairs for the price of BOO Token. In the PriceFeedV2 contract there was supposed to be a ‘previousChainlink0Response’ price.

polterfinance9

That ‘previousChainlink0Response’ price is used to check if the price change is too drastic and if it is, the feed would return the 'lastGoodPrice' stored previously.

polterfinance10

However, in ChainlinkUniV2Adapter, the ‘getRoundData()’ method logic is exactly the same as ‘latestRoundData()'. The '_roundId' parameter is not really used as it just returns the spot price as well.

image

Fund Flow

After swapping stolen assets, exploiter address 0x511f427Cdf0c4e463655856db382E05D79Ac44a6 received over 10M FTM tokens and transferred them to 11 different wallets in batch of 1M tokens:

  • 0x60e859317474947E7710342881D5850467779BD2
  • 0x4BeA5Bf18423EC4aF0b5A7a2Ea5F80AcbEb8c606
  • 0xa293D69607777648c0d13c3B64CB269dB91b081e
  • 0xcaec89B8992FbdFCD902d9CAb0dBd657bfF8d46d
  • 0x9FD7f177b3e2316AD2a16088785829482e8728fA
  • 0xeb8efd874A5edACf0B923650d4A68d7C7cE91Fc1
  • 0xe915Fb27D7c2748904e0C86F5ad5781ecF55BDd3
  • 0x22B0e168D1604Acd6Dcf978d484f77A8776C623F
  • 0xAf2766240583ECa6703C14EaC5D5f1621b79eF16
  • 0xb1cD5B8000dd301fe2aDf81e102D809F3e112a7d
  • 0x39Fde96298720A689b0C95BfD3a69F38b85032D9
  • 0x65BeEAbf28bc4E1e80ab591d4d0f7B3edc4d6D73

polterfinance13

polterfinance14

The funds were then split across 16 different wallets and bridged to the Ethereum blockchain via SquidRouter and Li.fi.

polterfinance15

At the time of writing, the funds have been split across 19 wallets. The largest one is 0x4e04a404e2aeca5956d6c373ce12a2380d2bfe11, which holds 358 ETH.12 (~$1.1M).

polterfinance16

Another address, 0x141c616f324bf13b0e787fefa6b25b3e1c56e1dd, has since laundered 220 ETH (~$700k) via Tornado Cash.

polterfinance17

Polter Finance have reached out to the exploiter to negotiate the return of the stolen funds.

image

The Stats

From the beginning of 2024, we have recorded 30 incidents related to price manipulation, resulting in a total loss of ~$50M. In 2023, we recorded 71 incident for a loss of ~$68M. The overall decline is likely due to increased awareness and security around potential vulnerabilities when using price oracles.

So far in 2024, this incident is the 3rd largest price manipulation exploit, just behind UwULend ($19M) and WooFi ($8.7M).

polterfinance18

To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.