• Blockbasis
  • Posts
  • WOOFI: Navigating DeFi's $8.5 Million Flash Loan Attack

WOOFI: Navigating DeFi's $8.5 Million Flash Loan Attack

Munchables Mayhem: Delving into the $62.5M Exploit - Uncovering the Intricacies of the Rogue Developer's Attack, Speculation of North Korean Involvement, and ZachXBT's Heroic Intervention in the Face of Growing Web3 Security Concerns

TL;DR

In the fast-paced world of DeFi, even the most innovative platforms can fall prey to exploitation. WOOFI, once touted as a cross-chain marvel, faced a devastating $8.5 million flash loan attack on Arbitrum. This blog dissects the breach, revealing the harsh realities and hard lessons of decentralized finance.

Make Sure This Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

On March 5th, WooFi suffered an $8.5 million loss due to a flash loan attack on Arbitrum. The first to report the incident was Spreek, who also uncovered the Seneca Protocol attack last week.

"Wootrade's WooPPV2 contract exploited for a total attacker haul of 8.5m on Arbitrum. It is now paused, so no further action is needed," Spreek reported.

In response, the WooFi team promptly paused the compromised pools to prevent further damage.

WooFi, which brands itself as "One Dex to rule all chains," provides single-sided yields, cross-chain swaps, perpetual trading, and revenue sharing. This attack, however, casts doubt on their security measures.

2024 has seen a series of attacks on Arbitrum, with Radiant Capital, Gamma Strategies, and Seneca already falling victim.

With the bull market returning, will 2024 surpass 2023 in the severity and frequency of such exploits?

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

One of WooFi's oracles on Arbitrum was compromised through a flash loan attack, which artificially manipulated the price of WOO to repay the loans at a lower cost.

By exploiting this vulnerability, the attacker drained funds from the WooPPV2 pool contract, executing the swap function three times to steal approximately $8.5 million.

Although the exploit was detected and the contracts were paused within 13 minutes, the attacker still managed to escape with a significant amount of ETH.

Attacker’s address:

Attack tx:

Attack contract:

The stolen funds were sent to a designated address. WooFi, assuming a whitehat hacker was responsible, sent an on-chain message offering a 10% bounty.

WooFi issued a post-mortem detailing the exploit: In WooFi v2, the sPMM system adjusts oracle prices based on trade value to manage slippage and balance pools. However, an error caused a price adjustment outside the expected range, and the fallback check, usually performed against Chainlink, didn't cover the WOO token price.

The recent addition of a WOO lending market on Arbitrum, combined with relatively low liquidity for WOO tokens elsewhere on the network, made the exploit economically feasible.

Despite an audit by Certik in October 2022 and a bug bounty held by Immunefi in 2022-2023, vulnerabilities remained. The results of the bug bounty are not public, and oracle manipulation and flash loan attacks were not excluded from consideration.

WooFi launched on Arbitrum in November 2022, and it appears someone found a significant bug.

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

WooFi stated this was their first incident, but going cross-chain has inherent risks. These risks are becoming more prevalent as more networks interconnect.

The attack on WooFi underscores the need for robust security measures, thorough testing, audits, bug bounties, and a keen understanding of cross-chain complexities. The recent addition of a WOO lending market on Arbitrum, combined with relatively low liquidity, created a fertile ground for exploitation.

WooFi's novel oracle design, not widely used or battle-tested, serves as a reminder for any protocol attempting to innovate.

Ironically, they touted their sPMM design just hours before it was exploited.

Using Chainlink price feeds as a fail-safe poses questions about reliability. Given these circumstances, the attack isn't entirely surprising. This incident is a wake-up call for the DeFi community, highlighting that no system is immune to exploitation, especially in a high-stakes, fast-paced environment.

Protocols should sometimes slow down, particularly when live, as real-time mistakes are more dangerous than those found in testing. It's better to catch errors in the lab than to have them exposed by bad actors or vigilantes.

WooFi suggests a whitehat was behind the attack, but the key point is that they were compromised. Whether the attacker was benevolent or malicious is irrelevant—if your window is broken, does it matter if it was a burglar or a neighbor trying to get in?