WOOFi, a decentralized finance platform, experienced an exploit on March 5th that targeted its swap feature on the Arbitrum network. The event resulted in a loss of approximately $8.75 million in crypto assets.
The platform said it has initiated efforts to recover these funds and has offered a 10% whitehat bounty to the exploiter. Additionally, a bounty has been placed on Arkham Intelligence for anyone providing additional information.
WOOFi’s Exploit
According to the post-mortem report, the sPMM algorithm governing pricing on WOOFi Swaps was exploited on Arbitrum. The attack involved a series of flash loans leveraging low liquidity to manipulate the price of WOO, allowing the exploiter to repay the loans at a reduced cost.
The exploiter borrowed around 7.7 million WOO and other assets, selling the tokens on WOOFi. This action caused WOOFi’s sPMM to inaccurately adjust WOO to an extremely low price, enabling the exploiter to swap out 10 million WOO in the same transaction nearly cost-free.
The exploiter repeated this attack three times within a brief period, resulting in profits of approximately $8.75 million after repaying the flash loans.
WOOFi revealed that the sPMM in its second version is designed to supersede oracle prices by considering users’ trade notional values to regulate slippage and uphold pool equilibrium.
However, a glitch led to an extensive deviation from the expected range ($0.00000009), and the fallback check, typically executed against Chainlink, did not include the WOO token price.
Conservative Listing Strategy Pays Off
WOOFi also said that its sPMM had been incident-free since its introduction back in 2021, primarily because of the “conservative approach” to listing new assets. The platform’s stringent listing process made initiating an exploit with major assets like ETH nearly impossible.
However, it blamed the recent introduction of a lending market for WOO on Arbitrum, coupled with relatively limited liquidity support for WOO tokens elsewhere on the network, which rendered the exploit economically viable.
While WOOFi Swap is operational across more than ten networks, none other than Arbitrum featured both the WOO token and a WOO lending market, effectively thwarting the replication of the same exploit on alternate networks.
Meanwhile, a recent report by CertiK said the crypto sector suffered losses of around $160 million in February due to exploits, hacks, and scams. These numbers reflected a minor decrease compared to January despite an uptick in prices. Among these losses, flash loans accounted for only $138,000.
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
The post appeared first on CryptoPotato