Verify a decision

{"actor":"system:backfill","investigation_id":"a0f97084-611a-43c6-bef3-3b6e998f63a6","kind":"publish","page_slug":"voltage-finance","published_at":"2026-06-01T17:49:53.788Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Voltage Finance","sections":[{"content":"Voltage Finance launched on the Fuse Network as 'FuseFi' before rebranding to Voltage Finance in early 2022 in anticipation of its VOLT governance token launch. The protocol is described as an all-in-one DeFi hub on Fuse Network, offering automated market maker (AMM) swaps, a lending and borrowing market (built in partnership with Ola Finance), yield farming, veVOLT staking, and a cross-chain bridge. In February 2022, the team announced the closure of a $3.4 million private funding round and the upcoming VOLT token generation event (TGE). The protocol operates as a DAO with governance handled via Snapshot voting. Voltage Finance was originally incubated by the Fuse Foundation before being spun out as an independent DAO. The VOLT token has a maximum supply of 10 billion and reached an all-time high of approximately $0.00534 in March 2022, coinciding with its TGE.","heading":"Protocol Overview and History","severity":"low","sources":[{"credibility":2,"name":"Voltage Finance closes $3.4M private round, releases details of token launch — PR Newswire","type":"news","url":"https://www.prnewswire.com/news-releases/voltage-finance-closes-private-round-at-3-4m-and-releases-details-of-the-public-volt-volt-governance-token-launch-301486632.html"},{"credibility":2,"name":"Rebrand: FuseFi becomes Voltage Finance — Fuse Network News","type":"official","url":"https://news.fuse.io/rebrand-fusefi-becomes-voltage-finance/"},{"credibility":2,"name":"What is Voltage Finance [VOLT] — Fuse Network News","type":"official","url":"https://news.fuse.io/what-is-voltage-finance-volt/"}]},{"content":"On March 31, 2022, at approximately 5:00 AM UTC+3, an attacker exploited the Voltage Finance lending pool — deployed in partnership with Ola Finance — through a reentrancy vulnerability in the ERC-677 token standard used by the Fuse Network for bridged tokens. ERC-677 tokens include a built-in callAfterTransfer() callback function; the attacker exploited the incompatibility between this standard and the Compound-forked lending contracts, which failed to follow the checks-effects-interactions pattern. The attacker initiated the attack by taking a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance itself to fund collateral, then exploited the callback to withdraw collateral without repaying the loan, repeating the cycle across multiple assets. Assets stolen totaled approximately $4.67 million: 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 WETH, 26.25 WBTC, and 1,240,000.00 FUSE. Attacker addresses on Fuse Network were identified as 0x632942c9BeF1a1127353E1b99e817651e2390CFF and 0x9E5b7da68e2aE8aB1835428E6E0c83a7153f6112, with a receiving Ethereum address of 0x371d7c9e4464576d45f11b27cf88578983d63d75. Funds were bridged to Ethereum and remained unrecovered. The team flagged the attacker's address on Etherscan, contacted Circle (USDC issuer) to request blacklisting, and attempted to negotiate a bounty return with the attacker. A similar reentrancy vulnerability had affected Hundred Finance and Agave approximately two weeks earlier in mid-March 2022, resulting in combined losses of approximately $11 million across those protocols.","heading":"March 2022 Reentrancy Exploit (Ola Finance / Voltage Lending)","severity":"critical","sources":[{"credibility":2,"name":"Ola and Voltage Lending Exploit on Fuse: Post Mortem — Ola Finance Medium","type":"official","url":"https://ola-finance.medium.com/ola-and-voltage-lending-exploit-on-fuse-post-mortem-214c13d88443"},{"credibility":1,"name":"Ola Finance Says Attackers Stole $4.7M in 'Re-Entrancy' Exploit — CoinDesk","type":"news","url":"https://www.coindesk.com/tech/2022/04/01/ola-finance-says-attackers-stole-47m-in-re-entrancy-exploit"},{"credibility":2,"name":"Voltage Finance Suffers $4 Million Stablecoin Theft — Crypto Briefing","type":"news","url":"https://cryptobriefing.com/voltage-finance-suffers-4-million-stablecoin-theft/"},{"credibility":2,"name":"Voltage Finance — REKT — Rekt.news","type":"research","url":"https://rekt.news/voltage-finance-rekt"},{"credibility":2,"name":"Ola — Voltage Exploit Transparency Report — Voltage Finance Medium","type":"official","url":"https://medium.com/@voltage.finance/ola-voltage-exploit-on-fuse-network-transparency-report-compensation-plan-and-future-steps-de00cb816dfb"}]},{"content":"On March 18, 2025, Voltage Finance suffered a second exploit targeting its Simple Staking pools. Approximately $322,113 was drained, consisting of $171,027.20 in USDCE and $151,085.87 in WETH. The attack involved a malicious proxy upgrade: an attacker gained access to the SimpleChefStaking contract, changed its proxy to a malicious implementation, called a forceWithdraw function to drain pooled funds, and then reverted the proxy to avoid immediate detection. In a post-mortem published two days after the incident, Voltage Finance stated that a developer hired in September of the prior year had deployed the SimpleChefStaking contract and had not transferred ownership of the proxy after deployment as required, retaining privileged access. The protocol stated it 'suspected' this individual may have been involved based on 'suspicious behavior' but did not confirm the developer was the attacker. The developer's access was immediately revoked and police reports were filed, including with authorities in Finland. Voltage Finance offered a $50,000 bounty to the attacker upon full return of stolen funds and stated it was collaborating with centralized exchanges and law enforcement to trace the assets. No public confirmation of fund recovery has been reported.","heading":"March 2025 Simple Staking Exploit (Alleged Insider)","severity":"critical","sources":[{"credibility":2,"name":"Voltage Finance Transparency Post Mortem Report: Simple Staking Hack — Voltage Finance Medium","type":"official","url":"https://medium.com/@voltage.finance/voltage-finance-transparency-post-mortem-report-simple-staking-hack-ecde06c6b8bc"},{"credibility":2,"name":"Voltage Finance Exploiter Resurfaces, Moves $182K in ETH to Tornado Cash — Bitget News","type":"news","url":"https://www.bitget.com/news/detail/12560604744418"}]},{"content":"In May 2025, blockchain security firm CertiK reported that the wallet associated with the March 2022 Voltage Finance exploit had resumed activity after being dormant for approximately 166 days. On or around May 6, 2025, 100 ETH valued at approximately $182,783 was moved through Tornado Cash, a cryptocurrency mixing service. CertiK noted the funds were transferred from a secondary address traceable to the original exploiter's cluster, not the primary exploit wallet. This activity indicates the 2022 attacker has retained control of at least a portion of the stolen assets and is actively laundering them through privacy tools. No recovery or legal action against the attacker has been publicly confirmed.","heading":"2022 Exploiter Moves Stolen Funds via Tornado Cash (May 2025)","severity":"high","sources":[{"credibility":2,"name":"Voltage Finance exploiter moves $182K in ETH to Tornado Cash — CoinTelegraph","type":"news","url":"https://coinspectator.com/cointelegraph/2025/05/07/voltage-finance-exploiter-moves-182k-in-eth-to-tornado-cash/"},{"credibility":2,"name":"Voltage Finance hacker moves $182K in ETH to Tornado Cash — Cryptopolitan","type":"news","url":"https://www.cryptopolitan.com/voltage-finance-hacker-moves-182k-in-eth/"},{"credibility":2,"name":"Voltage Finance Exploiter Resurfaces — Bitget News","type":"news","url":"https://www.bitget.com/news/detail/12560604744418"}]},{"content":"On February 5, 2022, the Meter.io cross-chain bridge was exploited for approximately $4.4 million. The attacker maliciously minted large quantities of BNB and WETH by exploiting a deposit function in Meter Passport, a fork of ChainSafe's ChainBridge that lacked input validation on native token amounts. This hack indirectly affected Hundred Finance, a separate Compound-fork lending protocol, which lost an additional $3.3 million when opportunistic actors used the artificially cheapened BNB.bsc tokens as collateral to borrow against Chainlink's global price oracle. Available sources do not establish a direct financial loss to Voltage Finance from this incident. Voltage Finance uses the Fuse Network's own bridge infrastructure rather than Meter Passport, and the February 2022 Meter exploit is not attributed as a Voltage Finance incident. It is noted here for context given the cluster of bridge and lending protocol exploits in the first quarter of 2022 that affected the broader Fuse and Compound-fork DeFi ecosystem.","heading":"Meter Bridge Hack — Indirect Exposure (February 2022)","severity":"low","sources":[{"credibility":2,"name":"Explained: The Meter.io Hack (February 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-meter-io-hack-february-2022"},{"credibility":1,"name":"Latest DeFi bridge exploit results in $4.4M losses for Meter — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/latest-defi-bridge-exploit-results-in-4-4m-losses-for-meter"}]},{"content":"Voltage Finance does not publicly disclose the identities of its core development team on its official documentation or website. The March 2025 exploit post-mortem revealed that the protocol hired a developer who was granted privileged proxy ownership over a production staking contract and failed to transfer that ownership as required — a significant access-control failure. The protocol's post-mortem acknowledged that an individual with insider access was suspected in the theft, and that the developer had retained unrevoked administrative keys to a live contract holding user funds. The team has not named the suspect publicly. The Fuse Foundation originally incubated the project; however, Voltage Finance was spun out as an independent DAO in March 2022 and the relationship between the DAO's current governance and the Foundation is not clearly documented in publicly available materials. The anonymous or pseudonymous nature of the development team limits accountability.","heading":"Team Transparency and Access Controls","severity":"high","sources":[{"credibility":2,"name":"Voltage Finance Transparency Post Mortem Report: Simple Staking Hack — Voltage Finance Medium","type":"official","url":"https://medium.com/@voltage.finance/voltage-finance-transparency-post-mortem-report-simple-staking-hack-ecde06c6b8bc"},{"credibility":2,"name":"Rebrand: FuseFi becomes Voltage Finance — Fuse Network News","type":"official","url":"https://news.fuse.io/rebrand-fusefi-becomes-voltage-finance/"}]},{"content":"As of early 2026, the Voltage Finance application remains operational at voltage.finance, with a GitHub organization showing repository activity into 2026. The VOLT governance token trades at approximately $0.000055 as of January 2026, down significantly from its March 2022 all-time high of approximately $0.00534, representing a decline of roughly 99% from peak. The protocol's market capitalization stands at approximately $216,000 as of that date, placing it in the lowest tier of tracked DeFi protocols by size. The protocol has not announced a formal security audit of its current contracts in publicly accessible documentation. The combination of two exploits totaling approximately $4.99 million in confirmed losses, an alleged insider theft, and an extremely low token valuation represents material operational and trust risk for users considering depositing funds.","heading":"Current Operational Status and Token","severity":"high","sources":[{"credibility":2,"name":"Voltage Finance (VOLT) Price, Investors & Funding, Charts — Chain Broker","type":"research","url":"https://chainbroker.io/projects/voltage-finance/"},{"credibility":2,"name":"Voltage Finance · GitHub","type":"official","url":"https://github.com/voltfinance"}]}],"sources_used":[{"name":"Ola and Voltage Lending Exploit on Fuse: Post Mortem — Ola Finance","type":"official","url":"https://ola-finance.medium.com/ola-and-voltage-lending-exploit-on-fuse-post-mortem-214c13d88443"},{"name":"Ola Finance Says Attackers Stole $4.7M in 'Re-Entrancy' Exploit — CoinDesk","type":"news","url":"https://www.coindesk.com/tech/2022/04/01/ola-finance-says-attackers-stole-47m-in-re-entrancy-exploit"},{"name":"Voltage Finance Suffers $4 Million Stablecoin Theft — Crypto Briefing","type":"news","url":"https://cryptobriefing.com/voltage-finance-suffers-4-million-stablecoin-theft/"},{"name":"Voltage Finance — REKT — Rekt.news","type":"research","url":"https://rekt.news/voltage-finance-rekt"},{"name":"Ola — Voltage Exploit Transparency Report — Voltage Finance Medium","type":"official","url":"https://medium.com/@voltage.finance/ola-voltage-exploit-on-fuse-network-transparency-report-compensation-plan-and-future-steps-de00cb816dfb"},{"name":"Voltage Finance Transparency Post Mortem Report: Simple Staking Hack","type":"official","url":"https://medium.com/@voltage.finance/voltage-finance-transparency-post-mortem-report-simple-staking-hack-ecde06c6b8bc"},{"name":"Voltage Finance exploiter moves $182K in ETH to Tornado Cash — CoinTelegraph","type":"news","url":"https://coinspectator.com/cointelegraph/2025/05/07/voltage-finance-exploiter-moves-182k-in-eth-to-tornado-cash/"},{"name":"Voltage Finance hacker moves $182K in ETH to Tornado Cash — Cryptopolitan","type":"news","url":"https://www.cryptopolitan.com/voltage-finance-hacker-moves-182k-in-eth/"},{"name":"Voltage Finance Exploiter Resurfaces — Bitget News","type":"news","url":"https://www.bitget.com/news/detail/12560604744418"},{"name":"Explained: The Meter.io Hack (February 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-meter-io-hack-february-2022"},{"name":"Latest DeFi bridge exploit results in $4.4M losses for Meter — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/latest-defi-bridge-exploit-results-in-4-4m-losses-for-meter"},{"name":"Voltage Finance closes $3.4M private round — PR Newswire","type":"news","url":"https://www.prnewswire.com/news-releases/voltage-finance-closes-private-round-at-3-4m-and-releases-details-of-the-public-volt-volt-governance-token-launch-301486632.html"},{"name":"Rebrand: FuseFi becomes Voltage Finance — Fuse Network","type":"official","url":"https://news.fuse.io/rebrand-fusefi-becomes-voltage-finance/"},{"name":"What is Voltage Finance [VOLT] — Fuse Network","type":"official","url":"https://news.fuse.io/what-is-voltage-finance-volt/"},{"name":"Voltage Finance (VOLT) Price and Market Data — Chain Broker","type":"research","url":"https://chainbroker.io/projects/voltage-finance/"},{"name":"Voltage Finance GitHub Organization","type":"official","url":"https://github.com/voltfinance"}],"summary":"Voltage Finance (formerly FuseFi) is a decentralized finance protocol operating on the Fuse Network, offering token swapping, lending, liquidity farming, and cross-chain bridging via an automated market maker. The protocol has been the subject of two confirmed security exploits: a March 2022 reentrancy attack that drained approximately $4.67 million from its lending pools via a third-party partner (Ola Finance), and a March 2025 insider-related exploit of its Simple Staking pools resulting in approximately $322,000 in losses. No funds were recovered in either incident as of the time of this investigation.","timeline":[{"date":"2021-12-01","event":"Voltage Finance (then FuseFi) closes initial private funding round at $2.3 million.","source":"PR Newswire","source_url":"https://www.prnewswire.com/news-releases/voltage-finance-closes-private-round-at-3-4m-and-releases-details-of-the-public-volt-volt-governance-token-launch-301486632.html"},{"date":"2022-02-05","event":"Meter.io bridge exploited for $4.4 million; Hundred Finance loses an additional $3.3 million in a related incident. Voltage Finance is not directly affected but the broader Fuse/Compound-fork ecosystem is put on notice.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/latest-defi-bridge-exploit-results-in-4-4m-losses-for-meter"},{"date":"2022-02-21","event":"Voltage Finance closes $3.4 million total private round and announces VOLT governance token TGE details; protocol rebrands from FuseFi.","source":"PR Newswire","source_url":"https://www.prnewswire.com/news-releases/voltage-finance-closes-private-round-at-3-4m-and-releases-details-of-the-public-volt-volt-governance-token-launch-301486632.html"},{"date":"2022-03-03","event":"VOLT token generation event (TGE) and listing on Voltage Finance DEX.","source":"Fuse Network News","source_url":"https://news.fuse.io/rebrand-fusefi-becomes-voltage-finance/"},{"date":"2022-03-15","event":"Hundred Finance and Agave protocols exploited via similar ERC-677 reentrancy vulnerability, losing approximately $11 million combined — a warning sign for Compound-fork protocols using ERC-677 tokens.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/voltage-finance-suffers-4-million-stablecoin-theft/"},{"date":"2022-03-31","event":"Voltage Finance lending pool (deployed with Ola Finance) drained for approximately $4.67 million via ERC-677 reentrancy exploit. Attacker uses flash loan from Voltage's own AMM to fund the attack.","source":"Ola Finance — Post Mortem","source_url":"https://ola-finance.medium.com/ola-and-voltage-lending-exploit-on-fuse-post-mortem-214c13d88443"},{"date":"2022-04-01","event":"Ola Finance and Voltage Finance publish transparency reports; funds flagged on Etherscan, Circle contacted to freeze USDC portion. Funds are bridged to Ethereum and remain unrecovered.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2022/04/01/ola-finance-says-attackers-stole-47m-in-re-entrancy-exploit"},{"date":"2025-03-18","event":"Voltage Finance Simple Staking pools exploited for approximately $322,113. A former developer with retained proxy ownership is alleged to have changed the staking contract implementation and called a forceWithdraw function to drain funds.","source":"Voltage Finance Medium — Post Mortem","source_url":"https://medium.com/@voltage.finance/voltage-finance-transparency-post-mortem-report-simple-staking-hack-ecde06c6b8bc"},{"date":"2025-03-20","event":"Voltage Finance publishes post-mortem on Simple Staking hack; offers $50,000 bounty for return of funds; states police reports have been filed, including with authorities in Finland.","source":"Voltage Finance Medium — Post Mortem","source_url":"https://medium.com/@voltage.finance/voltage-finance-transparency-post-mortem-report-simple-staking-hack-ecde06c6b8bc"},{"date":"2025-05-06","event":"CertiK reports that the wallet cluster linked to the March 2022 Voltage Finance exploit has moved 100 ETH (~$182,783) to Tornado Cash after 166 days of dormancy.","source":"CoinTelegraph / CertiK","source_url":"https://coinspectator.com/cointelegraph/2025/05/07/voltage-finance-exploiter-moves-182k-in-eth-to-tornado-cash/"}]},"v":1}