On October 21, a hacker exploited a security vulnerability to steal $300,000 from Olympus DAO. An agreement was later negotiated with the hacker, and all funds were returned.
A hacker drained $304,000 worth of Olympus DAO tokens from a smart contract running on Bond Protocol at 1:22 a.m. yesterday.
According to security firm PeckShield, the hacker’s malicious fund transfer request was improperly validated by the contract.
“It seems the related @OlympusDAO’s BondFixedExpiryTeller contract has a redeem() function that does not properly validate the input, resulting in ~$292K loss,” tweeted PeckShield Inc.
It seems the related @OlympusDAO's BondFixedExpiryTeller contract has a redeem() function that does not properly validate the input, resulting in ~$292K loss. https://t.co/dkhC5Ex9sz https://t.co/ikidpLyBga pic.twitter.com/wu5tUrepS6
— PeckShield Inc. (@peckshield) October 21, 2022
In the affected contract, called “BondFixedExpiryTeller,” bonds denominated in OHM tokens were opened.
PeckShield said the contract lacked a validation input for the “redeem() function,” so an attacker could trick input values to redeem funds. Etherscan, a blockchain explorer for Ethereum (ETH), confirmed the exploit
Addressing The Issues
In a Discord channel yesterday morning, Olympus DAO community members addressed the hack.
“Dear community. This morning, an exploit occurred through which the attacker was able to withdraw roughly 30,000 OHM ($300,000) from the OHM bond contract at Bond Protocol. This bug was not found by three auditors, nor by our internal code review, nor reported via our Immunefi bug bounty,” they said.
“Our phased rollout put only a limited amount of funds at risk and as a result, the total amount exploited is lower than the bug bounty the attacker would have been able to claim through Immunefi,” they added.
According to Olympus DAO, all other funds are safe and all affected markets have been closed.
They are investigating how to best compensate all affected bonders, whether through a contract or airdrop, and once this is finalized they will communicate via Discord.
“Additionally, we will do a thorough investigation and the council, together with our development team will come with a report of how this happened and how we will prevent this in the future. We aim to present this to the community during our next community call, November 4th. In the meantime, we encourage anyone to log any potential bugs through the Immunefi platform,” they explained.
A spokesperson for the Olympus DAO has stated that the funds have now been returned, and Etherscan data confirms the return transaction.