From decrypt by Vismaya V

Decentralized lending platform Polter Finance suffered a devastating exploit on the Fantom blockchain, essentially wiping out most of its assets.

The breach, discovered early Sunday, involved the manipulation of the platform’s token pricing mechanisms, leaving its users in shock.

The attacker began by funneling funds through Tornado Cash, an Ethereum-based coin mixer that conceals the origin of funds. These assets were then bridged—transferred from Ethereum to the Fantom network—where the exploit was executed.

Once the breach was identified, Polter Finance took immediate action by pausing its platform to contain the damage and notified key bridge operators.

The pseudonymous founder of Polter Finance, known as “Whichghost,” filed a police report in Singapore following the breach. The hack resulted in losses exceeding 16.1 million SGD (approximately $12 million USD).

The newly deployed smart contract on the platform was exploited, causing unauthorized transactions to drain user assets, says the report. The founder also reported personal losses of $223,219.

While the police report claims total losses of around $12 million, other reports from web3 security firms suggest the actual amount stolen was closer to $7 million.

According to DeFi Llama data, Polter Finance’s TVL was approximately $9.7 million before the attack, indicating substantial losses.

In a statement on X (formerly Twitter), the team wrote, ““We identified wallets involved and traced it to Binance. We are still investigating the nature of the exploit. We are in the processing of contacting the Authorities.”

The platform also sent an on-chain message to the attacker, saying the team would be willing to negotiate without pursuing legal action if the stolen funds are returned.

Web3 security experts think the root cause of the exploit was linked to a price manipulation attack using oracles—external data feeds that platforms use to determine token prices.

Smart contract audit firm QuillAudits shared their findings with Decrypt which shows the vulnerability was tied with how Polter Finance calculated the value of the SpookySwap BOO token.

“The price of the SpookySwap BOO token in the lending pool was determined by the spot price from the SpookySwap v3 pool and v2 pair; calculated based on the token balance ratio in the pool,” QuillAudits told Decrypt.

By artificially increasing the price of the BOO token, the hacker could deposit a very small amount (just 1 BOO token) and withdraw a much larger amount of other assets, effectively draining the platform of its funds.

“This case exemplifies a classic Oracle manipulation exploit. The BOO token price is manipulated by the attacker using a flash loan to artificially inflate the BOO token's price,” Hakan Unal, Senior Blockchain Scientist at Cyvers Ai, told Decrypt.

Polter Finance announced it has since colllaborated with the Security Alliance Information Sharing and Analysis Center (SEAL-ISAC) to track down the hacker.

This incident adds to the growing list of security breaches in the crypto sector. The total amount lost to the exploits has surpassed $2 billion in 2024 alone, with code vulnerabilities resulting in $39.6 million in losses over 44 incidents, per a recent Certik report.