Voltage Finance / Ola Finance: ERC677 callAfterTransfer() reentrancy in Compound fork — borrow before balance update
Voltage Finance lost $4M to the exact same ERC677 reentrancy that had hit two other Compound forks on Gnosis chain weeks earlier — the attack looped through BUSD, USDC, FUSD, WBTC, WETH, and FUSE by withdrawing both borrow proceeds and collateral tokens before the protocol registered the debt.
Summary #
Voltage Finance / Ola Finance suffered a Lending / Money Market (Compound fork via Ola Finance) on 2022-03-31, resulting in a loss of approximately $4M.
What happened #
Voltage Finance lost $4M to the exact same ERC677 reentrancy that had hit two other Compound forks on Gnosis chain weeks earlier — the attack looped through BUSD, USDC, FUSD, WBTC, WETH, and FUSE by withdrawing both borrow proceeds and collateral tokens before the protocol registered the debt.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Likely unaudited for ERC677 compatibility; inherited Compound fork risk]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding; contract deployment; then rapid multi-asset borrowing sequence]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound fork (via Ola Finance "Compound-like instance" architecture)]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound fork (via Ola Finance "Compound-like instance" architecture)]