Polter Finance BOO Oracle Drain

On November 17, 2024, the Fantom-based lending protocol Polter Finance was exploited for approximately $8.7 million (the team's post-incident police report cited a higher $12M figure including downstream effects). The attacker manipulated the BOO token oracle through a flash loan on SpookySwap pools, valuing one BOO at $1.37 trillion at the moment Polter read the price. Polter shut down operations after the exploit.

What happened

Polter Finance was a Geist-Aave-style lending market on Fantom that accepted BOO (SpookySwap's governance token) as collateral. The protocol's oracle for BOO did not use a trusted external source; instead, it read the spot price directly from SpookySwap V2/V3 pools at every query.

For most tokens, spot-oracle reads are dangerous; for BOO, with relatively thin pool liquidity, they were catastrophic. The attacker:

1. Flash-borrowed 269,042 BOO from SpookySwap V2 and 1,154,788 BOO from SpookySwap V3 — combined ~1.4M BOO.
2. Removed those tokens from the SpookySwap pools, dramatically reducing the BOO reserves available for trading.
3. With BOO reserves crashed, the SpookySwap spot-price oracle reported a wildly inflated BOO price — approximately $1.37 trillion per token in the most extreme reading.
4. Deposited a single BOO token as collateral on Polter — the oracle valued the deposit at the inflated rate, granting the attacker effective borrowing power against trillions of dollars in nominal collateral.
5. Borrowed every available asset Polter had to lend — stablecoins, ETH, BTC and other Fantom assets — totalling approximately $8.7M.
6. Repaid the flash loans (returning the borrowed BOO to the pools, restoring liquidity and the spot price), and walked away with the borrowed assets.

Aftermath

• Polter Finance paused the protocol and the team attempted on-chain bounty negotiation with the attacker. No response.
• Polter filed a police report claiming $12M in losses, including secondary effects on dependent protocols and reputational damage.
• The team announced the protocol would not relaunch — the loss exceeded Polter's reserves and the user-trust impact was unrecoverable.
• Funds were laundered through cross-chain bridges and mixers.

Why it matters

Polter Finance is one of many cases in the "spot-oracle lending protocol on chain X with thin liquidity" pattern that has produced recurring nine-figure cumulative losses across DeFi history:

• Cream Finance (Oct 2021) — yUSD spot-pool manipulation.
• Inverse Finance (Apr 2022) — INV thin Sushiswap pool oracle.
• Vee Finance (Sep 2021) — single Pangolin oracle on Avalanche.
• UwULend (Jun 2024) — Curve get_p spot reads in sUSDe oracle median.
• Polter Finance (Nov 2024) — SpookySwap spot oracle for BOO.

Every incident has the same structural cause: the lending protocol consumed a price from an oracle whose underlying data source the attacker could move in a single transaction. The defensive answer — time-weighted oracle medians from multiple sources, with hard caps on the rate of allowable price change per block — is well-documented but unevenly adopted, particularly by protocols deploying on smaller chains where Chainlink and similar aggregators have limited coverage.

The deeper lesson: a lending protocol's safety is the floor of its oracle quality, not the ceiling of its smart-contract quality. A perfectly-audited lending contract on top of a manipulable oracle is exactly as safe as the oracle. Polter's $8.7M (or $12M, depending on accounting) is the recurring price of underestimating this hierarchy.