Forta detected and flagged the Olympus DAO hack before it happened
In a tweet on September 21, Forta, the decentralized network that detects threats and anomalies on DeFi, NFT, governance, bridges and other Web3 systems in real-time, claimed to have detected and flagged the $300,000 Olympus DAO hack before it took place.
Although the hacker later returned all the 30,437 OHM tokens worth about $300,000 that they had stolen, Forta’s tweet resulted in a thread of tweets from the community wondering why the hack still took place despite Forta raising the alarm.
The OlympusDAO hack: what went wrong?
On September 21 at 1:22 am ET, A Hacker was able to drain 30,437 OHM tokens from a smart contract on Bond Protocol that Olympus DAO operated. According to security firm PeckShield, the hack took place because of a failed verification of the malicious fund transfer request from the hacker.
PeckShield said:
“The affected contract, known as ‘BondFixedExpiryTeller,’ was used to open bonds denominated in the Olympus DAO’s OHM tokens. The contract lacked a validation input in the ‘redeem() function,’ which allowed the attacker to trick input values to redeem funds.”
Forta’s claim of detecting the hack before it took place also mentions the same ‘BondFixedExpiryTeller’ smart contract. Forta in a tweet said:
“Minutes before the attack happened, Forta’s suspicious contract bot, powered by machine learning, fired indicating that @OlympusDAO’s BondFixedExpiryTeller contract was about to be attacked”
The hack still took place despite Forta’s detection
The Olympus team in the official Discord acknowledged that the hack took place saying:
“This morning, an exploit occurred through which the attacker was able to withdraw roughly 30K OHM ($300K) from the OHM bond contract at Bond Protocol.”
While responding to concerns about why the hack still took place despite prior flagging, Forta said:
“That alert fired just 21s after the contract was deployed and 1min and 39s before the attack. Although human intervention might not have prevailed, it is clear that leveraging monitoring to build circuit breakers into protocols should be a critical part of Web3’s future.”
But it is still not clear how Olympus would have responded to the alert from Forta since some believe pausing the contract would have attracted a DDOS attack.
One by the name of Taiga while responding to Forta on Twitter said:
“How would you recommend acting in this case? If they would of automatically paused the contract based on this alert then they would be susceptible to DDOS attacks where I would spam-deploy odd contracts referencing their address. Genuinely curious how to best use Forta.”
Another by the name of Christian Seifert said:
“I think pause is a big hammer. I think a more nuanced approach is needed that slows down the attacker/ mitigates the attack, but leaves the protocol still functioning for reg users. Time locks come to mind, but this needs to be fleshed out more.”
However, taking everything into consideration just as one of the Twitter responders highlighted “half the battle is early detection. The other half is prevention. The second half hasn’t mattered historically because early detection wasn’t a thing. Now that it is, the focus shifts to prevention mechanisms, and this needs to be implemented at the application level.”