Early this morning, an attacker stole 30,437 OHM tokens worth approx $300K from the Olympus DAO by exploiting a smart contract loophole.
“This bug was not found by three auditors, nor by our internal code review, nor reported via our Immunefi bug bounty,” notified the DAO over its discord channel.
“We have closed the affected markets and all other funds are safe. We will compensate all affected bonders in full and are exploring how to do this in the best way possible, either through a contract or airdrop,”
Olympus further added that only a limited amount of funds were at risk and the hacker could’ve walked off with a potential $3.3 million bounty had they reported the loophole on bug-hunting platform Immunefi.
According to security from PeckShield, the exploit was due to an error in the DAO’s BondFixedExpiryTeller, which had a redeem() function that didn’t properly validate the input.
PeckShield also clarified that the bonds were not the DAO’s contracts but were written by Bond Protocol for the pilot launch of $OHM bonds.
Surprisingly, just hours after the initial hack confirmation over the discord channel, Olympus shared much better news with the community members.
“Funds have been returned to the DAO wallet,” read the post. “We will communicate on the OHM bond payment and plan moving forward in the coming hours.”
Etherscan data confirms the return transaction.
Founded in May 2021, OlympusDAO is the company behind the decentralized and censorship-resistant reserve currency OHM, which is backed by assets such as FRAX and DAI.