Polter Finance

Polter Finance Hack - November 2024 ($12M)

Overview

In November 2024, Polter Finance, a DeFi lending protocol hosted on Fantom, was the victim of a hack where the attacker took advantage of a price manipulation vulnerability in the protocol's smart contracts to drain an estimated $8.7 million from the project. However, the Polter Finance team filed a police report claiming that the losses totaled $12 million.

The Exploit Mechanism

The vulnerability exploited was a classic oracle manipulation vulnerability, with reliance on spot prices for tokens being dangerous because these values can be manipulated by flashloans. The attacker artificially inflated the perceived value of the BOO token by draining it from the pool used to calculate the token price, with BOO tokens that they later deposited being massively overvalued, allowing them to take out far too much in a loan using them as collateral.

Instead of using a trusted source for the price of its BOO token, the smart contract used the spot price from the SpookySwap V2/V3 pool for the token. The attacker took out a large flashloan, altering the token balance in the SpookySwap pool and changing the perceived price of the BOO token.

Root Cause Analysis

Polter Finance's smart contract was largely a copy-paste of the Geist protocol, and the team didn't perform a security audit of their protocol, instead providing a copy of the one from the Geist contract to its users. This was especially problematic since the protocol included a simple price oracle manipulation vulnerability.

Stolen Assets

The drained funds included a mix of tokens:

• $7.87 million in Fantom (FTM)

• $1.03 million in wrapped USD Coin (USDC)

• $2.1 million in Stader sFTMX

• $251,000 in Magic Internet Money (MIM)

Response & Investigation

On Nov. 17, Polter Finance paused its platform after identifying an exploit and notified investors on X. The protocol investigated the stolen funds and traced them to wallets on the crypto exchange Binance. Polter Finance reached out to the hacker via an onchain message, offering scope for negotiation and impunity.

Sources

• https://www.halborn.com/blog/post/explained-the-polter-finance-hack-november-2024

• https://cointelegraph.com/news/polter-finance-12m-hack-response

• https://www.quillaudits.com/blog/hack-analysis/polter-finance-12m-hack-analysis

• https://www.vibraniumaudits.com/post/polter-finance-suffers-12-million-oracle-manipulation-exploit

• https://threesigma.xyz/blog/exploit/polter-finance-exploit-explained-usd12m-loss

• https://thedefiant.io/news/hacks/polter-finance-s-entire-usd12m-tvl-wiped-out-in-exploit

• https://blog.solidityscan.com/polter-finance-hack-analysis-c5eaa6dcfd40