KEY POINTS
- WOOFi said the exploiter took advantage of a vulnerability that caused a price calculation error
- The exploiter attacked the system using the same flaw three times, as per WOOFi
- The platform offered the hacker 10% of the pilfered funds and placed a bounty on Arkham Intelligence
Decentralized finance platform WOOFi on Wednesday announced that millions in cryptocurrencies were lost to an exploit that targeted its swap service on the layer-2 Arbitrum network. The platform has since offered a 10% bounty in exchange for the funds.
WOOFi announced the Tuesday hack in a Wednesday post-mortem report wherein it detailed how the unidentified exploiter manipulated the platform's Synthetic Proactive Market Making (sPMM) algorithm to affect the WOO token's price, resulting in cryptocurrency losses worth approximately $8.75 million.
According to the DeFi platform, the attacker borrowed around 7.7 million WOO tokens and other assets then sold them on WOOFi, causing the algorithm to value the WOO token incorrectly "to an extreme price which was close to zero." Through the flawed price calculation, the exploiter swapped out 10 million WOO "in the same transaction with almost no cost," repeating the attack three times within a short period. The exploiter was able to pilfer $8.75 million in profits after returning the flash loans.
Crypto security firms and teams immediately picked up the anomalous activity. WOOFi's international transaction monitoring system also detected the hack and by Tuesday afternoon, the platform's swap smart contracts on Arbitrum were paused.
The platform noted that efforts to recover the stolen funds have already been initiated. A 10% whitehat bounty has been offered to the exploiter and a bounty was placed on crypto intel company Arkham Intelligence for "anyone who can provide additional information" regarding the exploit.
WOOFi noted that "this is the first time an incident like this has happened to us, and we want to make sure it doesn't happen again." The crypto firm reiterated its commitment to resolving the issue and looks to redeploy the service within two weeks. It pledged to continue working with security firms to ensure that vulnerabilities within its system are identified earlier.
The platform said the exploit became economically feasible with the recent addition of a lending market for WOO on Arbitrum and the comparatively low liquidity support for WOO tokens elsewhere on the network.
Other WOOFi contracts, including WOOFi Stake, Earn, and Pro, were unaffected and remain fully functional. if any WOOFi Earn depositors wish to withdraw any funds, they can do so as usual.
Meanwhile, the platform also warned of a fake X (formerly Twitter) account that was impersonating WOOFi which asked users to "revoke all approvals to prevent loss of funds" amid the hack. The platform warned its users to not click any links unless the official WOOFi X handle posts them.
News regarding the WOOFi swap system breach came about a week after the hacker of stablecoin protocol Seneca returned over $5 million of some $6.4 million worth of Ether (ETH) stolen from the protocol. The said exploit was executed due to a flaw on contract approvals. Seneca offered a 20% bounty to the exploiter, which the hacker apparently accepted.