tl;dr
Polter Finance, a decentralized lending platform on the Fantom blockchain, was hit by a major exploit resulting in the loss of over $7 million in digital assets. The breach involved the manipulation of token pricing mechanisms, with the attacker funneling funds through Tornado Cash on Ethereum befor...
Decentralized lending platform Polter Finance suffered a $12 million exploit on the Fantom blockchain, involving token pricing manipulation and fund drainage.
The breach, executed through Ethereum-based Tornado Cash and exploitation of a newly deployed smart contract, led to substantial user and founder losses.
Polter Finance paused its platform, notified bridge operators, and reported the incident to authorities in Singapore, with losses estimated at over $7 million.
The attack was linked to a price manipulation using oracles, enabling the hacker to drain funds by inflating the BOO token's price.
Polter Finance collaborated with SEAL-ISAC to track down the hacker, amid a surge in security breaches resulting in over $2 billion in losses in the crypto sector in 2024.
Polter Finance, a decentralized lending platform on the Fantom blockchain, was hit by a major exploit resulting in the loss of over $7 million in digital assets. The breach involved the manipulation of token pricing mechanisms, with the attacker funneling funds through Tornado Cash on Ethereum before executing the exploit on the Fantom network. Polter Finance paused its platform, notified bridge operators, and the founder filed a police report in Singapore. The hack caused losses exceeding $12 million SGD, though some reports suggest the actual amount stolen was around $7 million. The platform indicated it was investigating the nature of the exploit and was in the process of contacting authorities. The attack was linked to a price manipulation using oracles, and the platform offered to negotiate with the attacker for the return of stolen funds. The incident adds to a series of security breaches in the crypto sector, with total losses surpassing $2 billion in 2024, according to a Certik report.
Decentralized lending platform Polter Finance suffered a devastating exploit on the Fantom blockchain, essentially wiping out most of its assets. The breach, discovered early Sunday, involved the manipulation of the platform’s token pricing mechanisms, leaving its users in shock. The attacker began by funneling funds through Tornado Cash, an Ethereum-based coin mixer that conceals the origin of funds. These assets were then bridged—transferred from Ethereum to the Fantom network—where the exploit was executed. Once the breach was identified, Polter Finance took immediate action by pausing its platform to contain the damage and notified key bridge operators. The pseudonymous founder of Polter Finance, known as “Whichghost,” filed a police report in Singapore following the breach. The hack resulted in losses exceeding 16.1 million SGD (approximately $12 million USD). The newly deployed smart contract on the platform was exploited, causing unauthorized transactions to drain user assets, says the report. The founder also reported personal losses of $223,219. While the police report claims total losses of around $12 million, other reports from web3 security firms suggest the actual amount stolen was closer to $7 million.
According to DeFi Llama data, Polter Finance’s TVL was approximately $9.7 million before the attack, indicating substantial losses. In a statement on X (formerly Twitter), the team wrote, “We identified wallets involved and traced it to Binance. We are still investigating the nature of the exploit. We are in the processing of contacting the Authorities.” The platform was paused soon after the exploit was identified. Bridges were notified. We identified wallets involved and traced it to Binance. We are still investigating the nature of the exploit.
The platform also sent an on-chain message to the attacker, saying the team would be willing to negotiate without pursuing legal action if the stolen funds are returned. Web3 security experts think the root cause of the exploit was linked to a price manipulation attack using oracles—external data feeds that platforms use to determine token prices. Smart contract audit firm QuillAudits shared their findings with Decrypt which shows the vulnerability was tied with how Polter Finance calculated the value of the SpookySwap BOO token. “The price of the SpookySwap BOO token in the lending pool was determined by the spot price from the SpookySwap v3 pool and v2 pair; calculated based on the token balance