Decoding Polter Finance’s $12M Hack

Polter Finance, a Fantom (Rebranded to Sonic) based decentralized lending and borrowing platform, suffered a devastating $12M hack.

The culprit? A classic oracle manipulation attack, where the hacker artificially inflated the price of the $BOO token (a governance token from SpookySwap), using it to drain Polter’s liquidity pools via a flash loan.

Too Long; Didn't Read (TL;DR)

• Polter Finance exploited for $12M due to an oracle manipulation attack.
• $BOO token price was manipulated, enabling the hacker to drain liquidity pools.
• Flash loans were used to execute the attack.
• Root cause: Lack of robust security measures and reliance on a vulnerable oracle setup.

Polter Finance was a decentralized, non-custodial lending and borrowing platform on the Fantom chain. It allowed users to deposit assets to earn interest and borrow against their holdings. The platform was created to meet the community's demand for a service similar to the discontinued $GEIST protocol, adopting the same smart contract structure. However, this approach not only carried over its functionality but also its underlying vulnerabilities.

Step 1: Flash Loan Setup

The attacker initiated the exploit by borrowing nearly all $BOO tokens from the SpookySwap LP using a flash loan.

Step 2: Oracle Manipulation

By draining the LP, the attacker artificially increased the price of the $BOO token. This manipulated price was picked up by Polter’s oracle.

Step 3: Draining Polter's Liquidity

The inflated $BOO token was deposited into Polter Finance, allowing the hacker to drain all its liquidity pools.

Step 4: Exit Stage Left

The attacker walked away with $12M in stolen assets & siphoned the funds away via Tornado cash, leaving Polter Finance and its users high and dry.

The stolen funds were moved to wallet address 0x39Fde96298720A689b0C95BfD3a69F38b85032D9, as identified on the blockchain.

Polter Finance reached out to the hacker via an on-chain message to negotiate the return of funds, but there has been no response.

Attack transaction: https://app.blocksec.com/explorer/tx/fantom/0x5118df23e81603a64c7676dd6b6e4f76a57e4267e67507d34b0b26dd9ee10eac

Absolutely. Here’s how:

1. Audits from Experts: A comprehensive audit from a trusted security partner like QuillAudits could have identified and mitigated these vulnerabilities before launch.
2. Flash Loan Mitigation: Disabling flash loans, as Polter plans to do post-incident, should have been implemented from the start.
3. Robust Oracle Systems: Integrating a reliable and manipulation-resistant oracle would have prevented price inflation exploits.

What’s the Takeaway?

Neglecting security is a recipe for disaster. Forked projects like Polter often assume the original developers’ security measures are enough - but as this attack shows, cutting corners costs millions.

The Web3 ecosystem desperately needs projects to prioritize user safety. Audits aren’t optional, they’re essential. Polter’s $12M loss is a harsh reminder that without proper precautions, trust and assets can vanish overnight.

Why QuillAudits?

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.