A hacker drained 30,437 OHM tokens (about $300,000) from one of the smart contracts on Bond Protocol that Olympus DAO operated at 1:22 a.m. ET today. The incident took place because a contract failed to properly validate the hacker’s malicious fund transfer request, according to security firm PeckShield.
It seems the related @OlympusDAO's BondFixedExpiryTeller contract has a redeem() function that does not properly validate the input, resulting in ~$292K loss. https://t.co/dkhC5Ex9sz https://t.co/ikidpLyBga pic.twitter.com/wu5tUrepS6
— PeckShield Inc. (@peckshield) October 21, 2022
The affected contract, known as “BondFixedExpiryTeller,” was used to open bonds denominated in the Olympus DAO’s OHM tokens. The contract lacked a validation input in the “redeem() function,” which allowed the attacker to trick input values to redeem funds, PeckShield said.
In the official Discord, the Olympus team acknowledged the exploit and said: "This morning, an exploit occurred through which the attacker was able to withdraw roughly 30K OHM ($300K) from the OHM bond contract at Bond Protocol.” The team said the rest of $217 million staked on Olympus DAO was safe.
The hacker has returned all of the stolen tokens following a negotiated deal, a spokesperson from Olympus DAO said.
