On 16 November 2024, Polter Finance was exploited for ~$8.7 million, due to a price manipulation exploit. Polter Finance paused their platform shortly after to investigate.
The ‘AaveOracle’ contract consulted by Polter Finance lending pools relies on the spot price of two pairs for the price of BOO Token. As a result, the attacker manipulated the token price of BOO to drain multiple lending pools by borrowing against the inflated token price.
https://ftmscan.com/tx/0x5118df23e81603a64c7676dd6b6e4f76a57e4267e67507d34b0b26dd9ee10eac
Addresses
Exploiter: 0x511f427Cdf0c4e463655856db382E05D79Ac44a6 Exploit Contract: 0xA21451aC32372C123191B3a4FC01deB69F91533a
Spooky v2 pair: 0xec7178f4c41f346b2721907f5cf7628e388a7a58 Spooky v3 pair: 0xed23be0cc3912808ec9863141b96a9748bc4bd89 Chainlink UniV2Adapter: 0x875d564a6a86f6154592b88f7a107a517f00cc17 PriceFeedV2: 0x80663EDff11e99e8E0B34cb9C3E1fF32E82A80Fe
Victim Pools
pMIM: 0xa826b29d81caef8c9aa212f172ab3ef00566e91e
pWSOL: 0x0299553df0fa396c0f6f3456d293608e189c3cf3
pFTM: 0xbbce4b1513d4285bd7a59c2c63835535151c8e7c
pSFTMX: 0xbbce4b1513d4285bd7a59c2c63835535151c8e7c
pLZ_WETH: 0x328c7a684f160c089ebff07ff1b5a417f024979e
Step by Step
It read the current balance of wFTM on pair 0xec71 at 1,828,570 and current BOO token balance at 1e6 wei.
The 'previousChainlink0Response' also read the current balance due to a incorrect logic.
The current balance of wFTM on pair 0xed23 was read at 396,315 and current BOO token had a balance at 1e6 wei. As a result, the 1 BOO token deposited was evaluated at $1,373,782,984,830,617,596, enabling arbitrary borrowing.
In this incident, the ‘AaveOracle’ consulted by Polter lending pools relied on the spot price of two pairs for the price of BOO Token. In the PriceFeedV2 contract there was supposed to be a ‘previousChainlink0Response’ price.
That ‘previousChainlink0Response’ price is used to check if the price change is too drastic and if it is, the feed would return the 'lastGoodPrice' stored previously.
However, in ChainlinkUniV2Adapter, the ‘getRoundData()’ method logic is exactly the same as ‘latestRoundData()'. The '_roundId' parameter is not really used as it just returns the spot price as well.
After swapping stolen assets, exploiter address 0x511f427Cdf0c4e463655856db382E05D79Ac44a6 received over 10M FTM tokens and transferred them to 11 different wallets in batch of 1M tokens:
The funds were then split across 16 different wallets and bridged to the Ethereum blockchain via SquidRouter and Li.fi.
At the time of writing, the funds have been split across 19 wallets. The largest one is 0x4e04a404e2aeca5956d6c373ce12a2380d2bfe11, which holds 358 ETH.12 (~$1.1M).
Another address, 0x141c616f324bf13b0e787fefa6b25b3e1c56e1dd, has since laundered 220 ETH (~$700k) via Tornado Cash.
Polter Finance have reached out to the exploiter to negotiate the return of the stolen funds.
From the beginning of 2024, we have recorded 30 incidents related to price manipulation, resulting in a total loss of ~$50M. In 2023, we recorded 71 incident for a loss of ~$68M. The overall decline is likely due to increased awareness and security around potential vulnerabilities when using price oracles.
So far in 2024, this incident is the 3rd largest price manipulation exploit, just behind UwULend ($19M) and WooFi ($8.7M).
To keep up to date on the latest incident alerts and statistics follow @certikalert on X, or read our latest analysis on certik.com.