Fuse Lending suffers $3.6 million hack on Fuse Network

Quick Take

  • Fuse Lending has lost $3.6 million to an attack on its lending product.
  • An unknown hacker took advantage of a reentrancy vulnerability in the protocol’s smart contract.

Fuse Lending, an implementation of lending protocol Ola Finance on Fuse Network, suffered a hack today. In the incident, the attacker pocketed an estimated $3.6 million in various assets.

The incident involved a common issue known as a reentrancy bug, a smart contract vulnerability that enables hackers to make repeated calls to a protocol in order to steal assets. Just a few weeks ago, two DeFi protocols on Gnosis Chain – Hundred Finance and Agave – lost customer funds amounting to more than $11 million in flash loan attacks resulting from reentrancy bugs. 

Security firm PeckShield told The Block that the hacker started by first borrowing funds using their own collateral. After that, taking advantage of the reentrancy vulnerability within Fuse Lending's smart contracts, the hacker was able to remove the collateral without repaying the loan they took. The perpetrator then repeated the same process on other Fuse Lending pools to make off with $3.6 million in total. 

After draining the funds, the perpetrator transferred them from Fuse Network to other blockchains – BNB Chain and Ethereum – via Fuse’s own cross-chain bridge. Of the total loot, it is reported that the hacker holds $3 million on Ethereum and another $637,000 on BNB Chain.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Ola Finance said it's still investigating the incident and promised to come out with a post-mortem report soon. Fuse Lending remains paused to control the damage. The project noted its lending services on other blockchains were unaffected in the incident.

Update: This article has been amended to clarify that Fuse Lending was affected rather than Ola Finance itself.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]