Hacker Siphons $300,000 From Olympus DAO, Returns It Hours Later

DeFi Protocol Olympus DAO became the latest to be hacked in October, as a hacker siphoned off $300,000 in a major security exploit. The hacker returned the funds following a negotiated deal that saw them pocket a bounty. 

The Olympus DAO hack is the latest in a number of hacks that have taken place during the ongoing month. 

Olympus DAO, The Latest Victim 

Olympus DAO became the latest target of cyber attackers, with hackers making off with around 30,000 OHM tokens worth around $300,000 this morning. However, the hacker had a change of heart and returned all the funds back to the DAO just hours later. Olympus DAO alerted community members about the hack through Discord, stating, 

“This morning, an exploit occurred through which the attacker was able to withdraw roughly 30K OHM ($300K) from the OHM bond contract at Bond Protocol. This bug was not found by three auditors, nor by our internal code review, nor reported via our Immunefi bug bounty.”

Olympus stated that only a limited amount of funds were put at risk and that the amount stolen was only a fraction of the $3.3 million bounty the hacker could have claimed through Immunefi had they reported the exploit. 

Details Of The Hack 

According to security firm PeckShield, the attack occurred because a protocol contract failed to validate the hacker’s fund transfer request. The hacker utilized the affected contract, called “BondFixedExpiryTeller,” to open bonds denominated in Olympus DAO’s OHM tokens. The contract lacked a validation input in the “redeem()function,” allowing the hacker to trick input values to redeem funds. 

“We need to clarify that these are NOT OlympusDAO contracts. Instead, the affected one was written by Bond Protocol, which was used for the pilot launch of OHM bonds.”

Olympus DAO stated that it had closed all affected markets and stressed that all other funds were safe. The Olympus DAO team also added that it was exploring ways in which it could compensate affected users. 

Hacker Returns Funds 

Just a few hours later, Olympus DAO shared another update with users, stating that the hacker had returned the stolen funds to the protocol. 

“Funds have been returned to the DAO wallet. We will communicate on the OHM bond payment and plan moving forward in the coming hours.”

Reports suggest that the attacker either had a change of heart, negotiated a bounty, or was a white hat hacker who wanted to highlight the vulnerability in the protocol. 

The Month Of Hacktober 

October has seen a wave of hackings that have rocked the crypto and DeFi spaces. On the 6th of October, DeFi protocol Sovryn suffered a major exploit, with hackers draining $1.1 million from the Bitcoin-based decentralized finance platform. Then, on the 13th of October, hackers targeted Solana-based lending platform Mango Markets and drained $117 million from the protocol. The wave of hackings continued with the BitKeep wallet hack that saw $1 million worth of funds stolen. 

The past couple of days saw two more significant exploits, with Moola Market being hacked for $9 million. However, the hacker returned most of the stolen funds, choosing to keep a $500,000 bounty. The latest hack, prior to the Olympus DAO hack, was an attack on the Ethereum Alarm Clock Service, resulting in losses worth $260,000.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.