Hacker Steals $300K from OlympusDAO Despite $3.3M Bug Bounty
Image courtesy of 123rf.

Hacker Steals $300K from OlympusDAO Despite $3.3M Bug Bounty

DeFi protocol OlympusDAO lost $300,000 in its native OHM tokens after a hacker exploited one of its smart contracts on Ethereum, according to PeckShield.
Neither the author, Tim Fries, nor this website, The Tokenist, provide financial advice. Please consult our website policy prior to making financial decisions.

DeFi reserve currency protocol OlympusDAO lost roughly $300,000 after a hacker attacked its smart contract on Ethereum, security firm PeckShield reported Friday. The hacker drained 30,437 OHM tokens after a contract written by Bond Protocol failed to verify the perpetrator’s malicious fund transfer request.

OlympusDAO to Compensate Users Following a $300K Exploit

A hacker siphoned 30,437 OHM tokens, or around $300,000, from one of Ethereum smart contracts belonging to the decentralized finance (DeFi) protocol Olympus DAO written by Bond Protocol. The exploit took place at 1:22 am ET Friday.

The hacker was able to drain the funds because the affected contract could not validate the perpetrator’s fund transfer request, PeckShield noted. The contract, named “BondFixedExpiryTeller,” was meant for opening bonds denominated in the protocol’s native OHM tokens but it was missing a validation input in the “redeem() function,” paving the way for the hacker to exploit input values and steal the funds.

“This morning, an exploit occurred through which the attacker was able to withdraw roughly 30K OHM ($300K) from the OHM bond contract,” OlympusDAO team said in its Discord channel. Olympus said the remaining $217 million staked on the protocol was not at risk, adding it will compensate users affected in today’s hack.

OlympusDAO is a DeFi reserve currency protocol behind the OHM token, each backed by a basket of assets from Olympus’s treasury. The protocol issues the tokens at a discount in exchange for their crypto assets, aimed at expanding its treasury.

In January 2022, OlympusDAO launched a bug bounty program with a maximum bounty of $3,333,333, 10 times what was lost in today’s exploit. The maximum reward applies to “bugs/exploits which would lead to a loss of bond funds or a loss of user funds,” according to Olympus.

Join our Telegram group and never miss a breaking digital asset story.

DeFi – The Hackers’ Favorite

Today’s exploit is the latest in a series of hacks that targeted DeFi protocols this year. According to Chainalysis, hackers are stealing more crypto from DeFi projects than ever before, a trend that emerged in 2021.

This week, FTX founder and CEO Sam Bankman-Fried proposed a framework that would help cushion the impact of hacks and scams on the industry. Among other things, Bankman-Fried proposed a “5-5 standard,” which would let hackers keep 5% or $5 million of the stolen amount, depending on which is smaller.

Earlier this month, Transit Swap lost almost $29 million following a hack that exploited an internal flaw in one of the contracts. The hacker returned around 65% of the stolen amount and promised to give back more after the decentralized exchange (DEX) completes the first phase of user refunds.

Finance is changing.
Learn how, with Five Minute Finance.
A weekly newsletter that covers the big trends in FinTech and Decentralized Finance.

Do you think strict crypto regulation is the only way to make DeFi a safer space? Let us know in the comments below.

Update (21st October 2022): Article was updated to clarify the effected contract was written by Bond Protocol and not OlympusDAO.