A hacker drained 30,437 OHM tokens (about $300,000) from one of the smart contracts on Bond Protocol that Olympus DAO operated at 1:22 a.m. ET today. The incident took place because a contract failed to properly validate the hacker’s malicious fund transfer request, according to security firm PeckShield.
The affected contract, known as “BondFixedExpiryTeller,” was used to open bonds denominated in the Olympus DAO’s OHM tokens. The contract lacked a validation input in the “redeem() function,” which allowed the attacker to trick input values to redeem funds, PeckShield said.
In the official Discord, the Olympus team acknowledged the exploit and said: "This morning, an exploit occurred through which the attacker was able to withdraw roughly 30K OHM ($300K) from the OHM bond contract at Bond Protocol.” The team said the rest of $217 million staked on Olympus DAO was safe.
The hacker has returned all of the stolen tokens following a negotiated deal, a spokesperson from Olympus DAO said.