Polter Finance Drained of Most Funds in Massive Exploit

Polter Finance, a decentralised lending platform on the Fantom blockchain, was severely impacted by a flash loan exploit on 18 November, resulting in the loss of over $7 million.

Blockchain analyst Nick Franklin confirmed that the attack was a classic example of price manipulation using the platform's token pricing mechanisms.

The attacker first funnelled funds through Tornado Cash, a coin mixer that obfuscates fund origins, before bridging the assets to the Fantom network.

Once on Fantom, the attacker manipulated the price of the SpookySwap governance token (BOO) by borrowing nearly all BOO tokens from the liquidity pool, causing the token's price to spike.

With the price inflated, the attacker deposited just one BOO token and drained the liquidity pools of $9.1 million in wrapped Fantom tokens, profiting $7.8 million.

Further attacks followed, targeting other tokens, including Magic Internet Money (MIM), sFTMX, Axelar USDC, and Bitcoin.

Estimates suggest the total loss may have exceeded $12 million.

While Franklin did not speculate on how the attacker repaid the flash loan, it is possible they purchased additional BOO tokens from other pools at a lower price.

The incident serves as a stark reminder of the risks associated with platforms that rely on low liquidity tokens, which are particularly vulnerable to price manipulation in DeFi ecosystems.

Polter Finance Took Action

Upon identifying the breach, Polter Finance swiftly paused its platform to mitigate further damage and alerted key bridge operators.

The pseudonymous founder, "Whichghost," filed a police report in Singapore and has been in direct communication with the attacker in an effort to negotiate a resolution.

The exploit, which stemmed from a vulnerability in the platform's newly deployed smart contract, drained user assets, with reported losses exceeding 16.1 million SGD (approximately $12 million USD).

However, some Web3 security firms estimate the actual amount stolen was closer to $7 million.

In addition to the platform's losses, Whichghost personally reported a loss of $223,219 in addition to attaching a post mortem link on Discord.

In a statement posted on X (formerly known as Twitter), Polter Finance revealed that the stolen funds were traced to wallets linked to Binance.

The team also sent an on-chain message to the attacker, offering to negotiate the return of the funds without legal action.

This move underscores the platform's efforts to recover the stolen assets while minimising legal escalation.

Industry Experts Weigh in

Web3 security experts believe the exploit stemmed from a price manipulation attack involving oracles—external data feeds used by platforms to determine token values.

According to findings shared by smart contract audit firm QuillAudits, the vulnerability was tied to how Polter Finance calculated the value of the SpookySwap BOO token.

QuillAudits said:

“The price of the SpookySwap BOO token in the lending pool was determined by the spot price from the SpookySwap v3 pool and v2 pair; calculated based on the token balance ratio in the pool.”

By artificially inflating the price of BOO, the hacker was able to deposit a minimal amount (just one BOO token) and withdraw significantly larger sums in other assets, effectively draining the platform.

Hakan Unal, Senior Blockchain Scientist at Cyvers Ai, noted:

“This case exemplifies a classic Oracle manipulation exploit. The BOO token price is manipulated by the attacker using a flash loan to artificially inflate the BOO token's price.”

In response, Polter Finance has partnered with the Security Alliance Information Sharing and Analysis Center (SEAL-ISAC) to track down the attacker and recover the stolen funds.