A hacker drained30,437 OHM tokens (about $300,000) from one of Olympus DAO’s smart contracts on Ethereum at 1:22 a.m. ET today.
The incident took place because a contract failed to properly validate the hacker’s malicious fund transfer request,according to security firm PeckShield.
The affected contract, known as “BondFixedExpiryTeller,” was used to open bonds denominated in the Olympus DAO’s OHM tokens. The contract lacked a validation input in the “redeem() function,” which allowed the attacker to trick input values to redeem funds, PeckShield said.
In the official Discord, the Olympus team acknowledged the exploit andsaid: “This morning, an exploit occurred through which the attacker was able to withdraw roughly 30K OHM ($300K) from the OHM bond contract.” The team said the rest of$268 million staked on Olympus DAO was safe and that it planned to compensate users hurt by today’s incident.
Olympus DAO is a DeFi protocol with a treasury that backs the OHM token. It offers cryptocurrency bonds denominated in vested OHM tokens. The DAO issues OHM tokens at a discount to investors in exchange for their cryptocurrencies, a process designed to increase its treasury over time. The bonds are managed with smart contracts, one of which was involved in today’s security incident.