Polter Finance, a decentralised lending platform on the Fantom blockchain, was severely impacted by a flash loan exploit on 18 November, resulting in the loss of over $7 million.
Blockchain analyst Nick Franklin confirmed that the attack was a classic example of price manipulation using the platform's token pricing mechanisms.
The attacker first funnelled funds through Tornado Cash, a coin mixer that obfuscates fund origins, before bridging the assets to the Fantom network.
Once on Fantom, the attacker manipulated the price of the SpookySwap governance token (BOO) by borrowing nearly all BOO tokens from the liquidity pool, causing the token's price to spike.
With the price inflated, the attacker deposited just one BOO token and drained the liquidity pools of $9.1 million in wrapped Fantom tokens, profiting $7.8 million.
Further attacks followed, targeting other tokens, including Magic Internet Money (MIM), sFTMX, Axelar USDC, and Bitcoin.
Estimates suggest the total loss may have exceeded $12 million.
While Franklin did not speculate on how the attacker repaid the flash loan, it is possible they purchased additional BOO tokens from other pools at a lower price.
The incident serves as a stark reminder of the risks associated with platforms that rely on low liquidity tokens, which are particularly vulnerable to price manipulation in DeFi ecosystems.
Upon identifying the breach, Polter Finance swiftly paused its platform to mitigate further damage and alerted key bridge operators.
The pseudonymous founder, "Whichghost," filed a police report in Singapore and has been in direct communication with the attacker in an effort to negotiate a resolution.
The exploit, which stemmed from a vulnerability in the platform's newly deployed smart contract, drained user assets, with reported losses exceeding 16.1 million SGD (approximately $12 million USD).
However, some Web3 security firms estimate the actual amount stolen was closer to $7 million.
In addition to the platform's losses, Whichghost personally reported a loss of $223,219 in addition to attaching a post mortem link on Discord.
In a statement posted on X (formerly known as Twitter), Polter Finance revealed that the stolen funds were traced to wallets linked to Binance.
The team also sent an on-chain message to the attacker, offering to negotiate the return of the funds without legal action.
This move underscores the platform's efforts to recover the stolen assets while minimising legal escalation.
Web3 security experts believe the exploit stemmed from a price manipulation attack involving oracles—external data feeds used by platforms to determine token values.
According to findings shared by smart contract audit firm QuillAudits, the vulnerability was tied to how Polter Finance calculated the value of the SpookySwap BOO token.
QuillAudits said:
“The price of the SpookySwap BOO token in the lending pool was determined by the spot price from the SpookySwap v3 pool and v2 pair; calculated based on the token balance ratio in the pool.”
By artificially inflating the price of BOO, the hacker was able to deposit a minimal amount (just one BOO token) and withdraw significantly larger sums in other assets, effectively draining the platform.
Hakan Unal, Senior Blockchain Scientist at Cyvers Ai, noted:
“This case exemplifies a classic Oracle manipulation exploit. The BOO token price is manipulated by the attacker using a flash loan to artificially inflate the BOO token's price.”
In response, Polter Finance has partnered with the Security Alliance Information Sharing and Analysis Center (SEAL-ISAC) to track down the attacker and recover the stolen funds.
Meta has resumed AI training in the U.K., using public content from Facebook and Instagram after resolving privacy concerns with regulators. The company assures users that private messages and data from those under 18 are excluded, though some still worry about privacy and AI's growing role.
AnaisChina's new regulations require digital platforms to clearly label all AI-generated content, including text, images, videos, and audio files. The rules mandate visible logos and metadata, voice prompts for audio, and user identification for AI-generated posts to enhance transparency and prevent misinformation.
WeatherlyCircle and Sony Block Solutions Labs are partnering to make USDC the primary transaction token on the new Soneium blockchain. This collaboration aims to enhance digital transactions and create innovative opportunities in the Web3 space, with Soneium set to launch its mainnet in 2025.
WeatherlyDeltaPrime, a DeFi protocol on Arbitrum, lost $6 million in suspicious transactions. The source of the compromised private key is still under investigation amidst alleged links to North Korean hackers adding complexity to the ongoing investigation.
CatherineAs Typhoon Yagi ravages Vietnam, Binance and KuCoin are stepping up with token airdrops to offer relief. With the death toll over 350 and widespread damage, these airdrops aim to deliver crucial support to affected communities.
KikyoDonald Trump and his family are launching a cryptocurrency project called World Liberty Financial, with the Trump family holding a 70% stake. Despite initial excitement, details about the platform are unclear, and there are concerns about its feasibility and transparency.
JoyScannit plans to launch its financial management app beta after TOKEN2049, allowing users to track spending and earn SCAN tokens for sharing data. Its "Scan-to-Earn" feature rewards users for uploading transaction data, enhancing financial control.
CatherineBybit has secured a provisional license from Dubai’s VARA, signaling progress toward full licensing and strengthening its position in the global crypto market. The company is also expanding in Hong Kong to tap into the growing Asia-Pacific market, reflecting its broader strategy to enhance its global presence.
WeatherlyDBS is launching over-the-counter cryptocurrency options trading and structured notes for institutional and accredited clients, becoming the first Asian bank to offer products directly linked to Bitcoin and Ethereum.
AnaisAI researchers are advocating for a robust contingency plan to address the risk of losing control over AI systems. This measure seeks to prepare for scenarios where AI could act unpredictably, emphasizing the need for strong safeguards and strategies to manage potential risks.
Kikyo
