WOOFi Exchange Suffers $8 Million Loss in Flash Loan Exploit on Arbitrum

Key takeaways:

• WOOFi introduces 10% whitehat bounty program post $8.5m Arbitrum contract exploit.

• WOOFi aims to resume operations within two weeks and proceed with the planned release of the v3 version

In a recent development, WOOFi, a decentralized exchange (DEX), disclosed a significant financial setback resulting from an exploit in its Arbitrum lending market.

 The exploit, detected by blockchain security firms including PeckShield, Hypernative, and Chainalysis, targeted WOOFi Swap on Arbitrum, resulting in an $8 million flash loan exploit.

The attack, executed through flash loan mechanisms that enable borrowing without collateral within the same transaction block, saw the hacker manipulate WOOFi’s sPMM algorithm. 

By borrowing 7.7 million WOO tokens and additional assets, the attacker caused the algorithm to incorrectly value WOO tokens at near-zero prices. 

At 15:49 UTC, one of the WOOFi oracles on Arbitrum was exploited by a contained attack using flash loans, which manipulated the price of WOO in order to repay the flash loans at a cheaper price. (1/2) https://t.co/jlk7fb0trw

— WOOFi (@_WOOFi) March 5, 2024

Subsequently, they exploited this abnormal pricing to swap out 10 million WOO tokens multiple times, yielding illicit gains of approximately $8.75 million.

Following the incident, the hacker distributed the stolen funds across various externally owned accounts on different blockchains using cross-chain bridges. Although the exact nature of the hack remains undisclosed, WOOFi has assured users that all other WOO contracts are secure. 

The affected contracts were promptly halted, and an investigation into the exploit was initiated, with a detailed report released on March 6.

While efforts are underway to recover the stolen funds, WOOFi has offered a 10% whitehat bounty to the exploiter and emphasized its commitment to addressing vulnerabilities before redeploying WOOFi Swap contracts. 

The incident solely impacted WOOFi v2, leaving other WOOFi contracts unharmed and fully operational. The team has temporarily suspended the v2 swap but is committed to swiftly addressing the issue, with plans to resume operations within two weeks. 

Moreover, they are pressing forward with the launch of the v3 version slated for later this spring.

This incident underscores the importance of robust security measures in the decentralized finance (DeFi) ecosystem and serves as a reminder of the risks associated with flash loan exploits. As WOOFi navigates through this setback, the broader crypto community remains vigilant in addressing vulnerabilities and safeguarding user assets in decentralized platforms.