Polter Finance: Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow
Polter Finance lost $8.7M when an attacker flash-loaned BOO tokens to manipulate the SpookySwap spot price, artificially inflating BOO collateral value in Polter's unaudited lending market to borrow the entire protocol's funds.
Summary #
Polter Finance suffered a Lending / Money Market (Geist fork) on 2024-11-16, resulting in a loss of approximately $9M.
What happened #
Polter Finance lost $8.7M when an attacker flash-loaned BOO tokens to manipulate the SpookySwap spot price, artificially inflating BOO collateral value in Polter's unaudited lending market to borrow the entire protocol's funds.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit performed] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit performed]
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BOO market was a new addition] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BOO market was a new addition] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
- RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
- RD-F-053 — causal : ★ Spot DEX pool oracle without TWAP — root cause [via realtime_signals/Oracle anomaly: Y — BOO spot price in SpookySwap would show extreme anomaly during the drain-and-borrow window] || ★ Oracle source = spot DEX pool (no TWAP, no fallback) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering] || ★ Oracle source = spot DEX pool [via cross-hack: Factor 25: Single-Source TWAP Oracle From Low-Liquidity Pool Used as Lending Collateral]
- RD-F-055 — related : Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering] || Underlying oracle pool depth [via cross-hack: Factor 25: Single-Source TWAP Oracle From Low-Liquidity Pool Used as Lending Collateral]
- RD-F-056 — related : Single-pool oracle (no medianization) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — BOO spot price in SpookySwap would show extreme anomaly during the drain-and-borrow window]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — fork of Geist Finance (itself an Aave fork)]
- RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
- RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — BOO market was a new addition]