DeFi Platform Polter Finance Suffers $12M Loss in Fantom Cross-Chain Exploit

Decentralized lending platform Polter Finance has been exploited in an attack on the Fantom blockchain, leading to a loss of approximately $12 million in cryptocurrency assets. Following the breach, the platform paused operations and informed its users.

🚨TenArmor Security Alert🚨

A lending project, PolterFinance (@polterfinance), on #Fantom (#FTM) has been compromised, leading to an estimated loss of $12M!

Another case of price oracle exploitation!

The price of SpookySwap BOO token in the lending pool relied on the spot… pic.twitter.com/7fF9ToeaJF

— TenArmorAlert (@TenArmorAlert) November 17, 2024

The exploit targeted Polter Finance’s recently launched SpookySwap (BOO) market, with the attackers exploiting a flash loan vulnerability linked to incorrect Oracle price data. 

Why the Hack?

Some market experts have suggested that an ’empty market’ vulnerability played a role in the hack. 

The ‘empty market’ issue occurs in decentralized finance (DeFi) markets when there is very low trading activity or liquidity—meaning there aren’t enough assets or trades happening. In such cases, attackers can easily manipulate the platform’s prices or calculations.

However, another researcher argued that the exploit was caused by incorrect price data provided to the platform. These price feeds are crucial for DeFi platforms to function correctly, and any inaccuracies can create opportunities for attackers to exploit.

Efforts to Retrieve Lost Funds

To recover the stolen funds, Polter Finance sent an on-chain message to the attacker, proposing a negotiation and offering immunity. While awaiting a response from the hacker, the platform’s pseudonymous founder, known as Whichghost, also reported the incident to Singaporean authorities. 

Authorities verified Whichghost’s identity using Singpass, the country’s digital identity system. According to the police report, the stolen assets were valued at approximately $12 million (over 16.1 million Singapore dollars). Per the filing, the exploit targeted a newly deployed smart contract for BOO token lending. 

Community Speculation

Amid these developments, some community members have speculated about the possibility of insider involvement, casting doubt on the platform’s security measures. Critics suggested the police report might serve as a diversion from internal investigations. 

However, in their filing, Whichghost denied any mishandling of login credentials, stating:

“I wish to state that I did not provide anyone my login details.”

In addition to filing a police report, Polter Finance has partnered with the Security Alliance Information Sharing and Analysis Center (SEAL-ISAC) to bolster its efforts in tracking down the attacker.”