Polter Finance, a decentralised non-custodial lending and borrowing platform operating on the Fantom blockchain, recently suffered a major security breach resulting in the loss of approximately $8.7 million. The incident was caused by a vulnerability in the platform's price oracle mechanisms, allowing an attacker to manipulate asset values and drain funds.
Behind the Breach
The attacker targeted Polter Finance's BOO token market shortly after its launch. By using flash loans, they artificially inflated the price of BOO tokens through manipulation of the SpookySwap V2/V3 pool prices, which Polter relied upon for their price oracle. This enabled the attacker to borrow assets against the artificially inflated BOO token collateral, effectively draining the protocol's liquidity. The core issue lay in Polter's reliance on unprotected spot prices from a single source, leaving the oracle system vulnerable to manipulation.
Lessons from the Incident
To prevent similar exploits, platforms should consider the following controls:
Comprehensive Security Audits: All smart contracts and protocols should undergo rigorous, independent audits before deployment to identify potential vulnerabilities.
Secure Oracle Systems: Decentralised, tamper-resistant oracles should be used to provide accurate price feeds, minimising the risk of manipulation.
Flash Loan Mitigation Measures: Implement safeguards such as anomaly detection and rate limits to identify and block exploitative behaviour using flash loans.
Rivanorth is a cybersecurity company specialising in smart contract audits and 360 degree security services for Web3.
Visit rivanorth.com to find out more.
You build the future. We help you secure it.