Aapsi's blog
Overview of the Polter Finance Hack

Overview of the Polter Finance Hack

Aapsi Khaira's photo
Aapsi Khaira
·

4 min read

What Happened?

Polter Finance, a decentralized lending protocol, was exploited for approximately $8.7 million due to a vulnerability in its price calculation system. The attacker manipulated the price of the BOO token, deposited inflated collateral, and borrowed all assets from the protocol.

This hack was enabled by two key issues:

  1. An insecure price oracle relying on SpookySwap liquidity pools (LP).

  2. The removal of critical flash loan protections without re-auditing the code.

How It Happened?

Let’s break this down step by step.

What is a Flash Loan?

A flash loan is a type of uncollateralized loan offered in DeFi protocols. You can borrow a huge amount of tokens as long as you repay the loan within the same transaction. If the loan isn’t paid back, the entire transaction fails.

  • Why do people use flash loans?
    Traders use flash loans for arbitrage opportunities (to buy assets cheaply and sell at a profit). However, attackers exploit flash loans to manipulate on-chain systems that aren’t secure.

What is a Liquidity Pool (LP)?

A liquidity pool is a pool of tokens provided by users (called liquidity providers) to facilitate decentralized trading. For example, the SpookySwap LP has tokens like BOO and FTM paired together.

  • How does it work?
    When a user trades on SpookySwap, tokens are swapped in and out of the pool. The pool’s token reserves determine the price based on supply and demand. If a token’s reserve drops significantly, its price will rise.

How Did the Hack Work?

Here’s the flow of the attack:

  1. Flash Loan to Manipulate the Liquidity Pool:

  • The attacker took a flash loan to borrow a large amount of BOO tokens.

  • Using these tokens, the attacker drained the BOO reserves in SpookySwap’s LP.

2. Artificial Price Inflation:

  • With almost no BOO tokens left in the pool, the price of BOO skyrocketed because the oracle (price feed) used the pool’s reserves to calculate the token price.

Oracle reported an inflated BOO price due to the imbalance.

Manipulated BOO price:

Depositing Overvalued Collateral:

  • The attacker deposited 1 BOO token as collateral into Polter Finance.

  • Due to the artificially high price, the protocol overvalued the collateral.

Borrowing All Assets:

  • The attacker borrowed all available assets in the lending pool (stablecoins, tokens, etc.) against the inflated BOO collateral.

Validation logic showing the borrowing activity.

Profiting and Repaying the Flash Loan:

  • The attacker swapped the borrowed assets for real value.

  • They repaid the flash loan and walked away with over $7 million in profit.

Key Detail*:
One BOO deposit was all it took to borrow against artificially inflated collateral, proving that in DeFi, sometimes the simplest tricks are the most expensive.*

Exploiter Address: 0x511f427Cdf0c4e463655856db382E05D79Ac44a6
Exploiter Contract: 0xA21451aC32372C123191B3a4FC01deB69F91533a

Flow of Funds: Metasleuth Analysis

Where Did Polter Finance Go Wrong?

  1. Insecure Price Oracle:
  • Polter Finance relied directly on SpookySwap LP reserves to determine the BOO token price. Liquidity pools can be easily manipulated by flash loans.

2. Removed Flash Loan Protections:

  • Polter removed a critical flash loan validation function that would have prevented such attacks.

  • They did not re-audit their updated code after this removal.

3. Documentation showing reliance on the old Geist audit and acknowledgment of removed protections.

4. No Flash Loan Mitigations:

  • There were no safeguards like Time-Weighted Average Prices (TWAP) to prevent single-block manipulation.

How Could This Be Avoided?

Here are best practices to prevent similar exploits in the future:

  1. Use Secure Oracles:
  • Integrate robust oracles like Chainlink or use TWAP-based pricing to ensure price feeds are resistant to manipulation.

2. Flash Loan Protections:

  • Implement checks to validate price consistency across multiple blocks.

  • Introduce borrowing caps to limit how much can be borrowed in a single transaction.

3. Mandatory Re-Audits:

  • Always audit code changes, especially when removing or modifying critical security functions. Never rely on audits of forked protocols.

4. Simulate Real-World Attacks:

  • Use tools like Hardhat or Foundry to simulate flash loan attacks and oracle manipulations before deployment.

Conclusion

The Polter Finance exploit, which led to a loss of $8.7 million, highlights critical security oversights in oracle design and flash loan mitigations.

In DeFi, a single oversight — like removing a flash loan protection — can be catastrophic.

Key Takeaway: Secure your oracles, audit your changes, and never underestimate the simplest exploits.

🔒 Security isn’t optional. It’s a necessity.

defiSolidityWeb3 SecurityWeb3Blockchainblockchain security