DeFi lending platform Polter Finance is working to recover $12 million lost in a flash loan attack exploiting a faulty oracle on its new SpookySwap market.
According to its latest update, Polter Finance is collaborating with the Security Alliance, a group of white hat hackers and security experts focused on combating cyber threats in crypto, to identify the attacker and expedite fund recovery.
Among other efforts, the DeFi protocol has contacted the exploiter via an on-chain message and offered to negotiate a bounty and not pursue legal action if the attacker returns the stolen funds.
Meanwhile, Polter Finance’s pseudonymous founder, Whichghost, filed a police report in Singapore, stating that the protocol lost over 16.1 million Singapore dollars (approximately $11.98 million) in the attack.
Whichghost also reported personal losses exceeding $223,000 in the incident.
According to Web3 security firm TenArmor, the incident was “another case of price oracle exploitation,” where attackers manipulate the data feeds—known as oracles—that DeFi platforms use to determine asset prices.
In this case, the attacker exploited Polter Finance’s reliance on the spot price of the BOO token on SpookySwap, as analyzed by blockchain security firm BlockSec Phalcon.Â
Using a flash loan to drain BOO token reserves from the WFTM-BOO liquidity pair, they artificially inflated the token’s price, enabling them to borrow far more than the collateral’s actual value.
When writing, Polter has yet to issue an official post-mortem report confirming the nature of the attack, but the protocol has traced the stolen funds to wallets on the crypto exchange Binance.
POLTER, the platform’s native token, has plummeted by over 85% following the exploit. Meanwhile, data from DefiLlama reveals the total value locked in the protocol has plunged from $9.77 million on Nov. 16 to just $61,603 at press time.
November has been rife with DeFi vulnerabilities, and this marks the third significant exploit this month. As reported by crypto.news, Aptos-based Thala protocol lost over $25 million worth of assets from its liquidity pools due to vulnerability in its farming contracts. However, the project managed to recover almost all of the funds after the attacker agreed to a $300,000 bounty.
Prior to that, on Nov. 11, DeltaPrime, another lending and borrowing protocol, lost $4.8 million worth of digital assets. Like Polter Finance, the protocol sent an on-chain message to the hacker to negotiate the return of all stolen assets.