WooFi Loses $8.75 Million in Price Manipulation Attack

The WooFi team suspects that the introduction of its new Arbitrum-based lending market for the WOO token created a vulnerability that led to the exploit

Hacker working on a computer
A series of at least four flash loan attacks enabled WooFi's hacker to earn almost $9 million

Yesterday, the decentralized exchange WooFi fell victim to an exploit on Arbitrum, resulting in a loss of $8.75 million.

On-chain security experts, including Beosin, revealed that the hacker utilized the flash loan technique. This allowed the attacker to borrow a substantial amount of USDC and WOO, the native token of the compromised exchange, without providing collateral. This unique feature is facilitated by the flash loan mechanism, which requires returning the borrowed amount within the same transaction.

Read also: Wallet Drainers Can Bypass Security by Exploiting EIP-712 Normalization

According to Beosin, the hacker then executed multiple token swaps, enabling them to manipulate the price calculation within the contract. Another security research group, PechShield, suggested that the WOO price manipulation aimed to drain funds from the Woo pool contract (WooPPV2). This assumption was confirmed by the WooFi team, which released a detailed post-mortem of the exploit, revealing specific insights.

"The exploiter borrowed nearly 7.7 million WOO, along with other assets, and sold the WOO on WooFi," explained WooFi. "Subsequently, WooFi's sPMM incorrectly adjusted the WOO price to an extreme value close to zero. The exploiter then swapped out 10 million WOO in the same transaction at almost no cost." This attack was repeated three times in quick succession, resulting in a gain of almost $9 million after the flash loans were returned.

The WooFi team suspects that the specific design of the platform's synthetic proactive market making (sPMM) created a vulnerability, exacerbated by the implementation of an Arbitrum-based lending market for the WOO token. Prior to this addition, there had been no incidents since the project's inception in 2021. However, the new lending market introduced a vulnerability, compounded by the low liquidity support for WOO tokens.

WooFi emphasizes that the exploit was unique to its platform and would not have been possible with major assets like Ether. Other contracts such as Earn, Stake, and Pro remain unaffected, and cryptocurrency users can withdraw their funds without limitations.

Currently, the team plans to address the issue and redeploy WooFi Swap v2 within two weeks. Additionally, they anticipate the release of version 3 later this spring.

Read also: Exit Scams Surge Dramatically in February, Surpassing $58 Million in Losses

Yesterday, another Web3 project, the Sherlock audit marketplace, fell victim to an exploit as well. Sherlock's account on X was hacked, enabling phishing scammers to send malicious posts impersonating the reputable project.

Malicious post from compromised Sherlock's account
Source: PeckShield, X

According to Sherlock, "The culprit seems to have been a fake (verified) Twitter account with a fake Calendly link."

The malicious post published through the compromised X account announced "Major new contest: Blast Platform Audit Update," promising a prize pool of 145,000 USDC, with rewards "split among all participants."

Calendly, a popular scheduling application, has been frequently exploited by scammers since last November. A phishing attack exploiting the application's "Add Custom Link" feature, allowing criminals to insert phishing links into event pages, was detected back then. Impersonating the legitimate Calendly application has also been a common tactic for phishing attacks.

Earlier this year, another legitimate project, the CoinGecko crypto data aggregator, was affected by the Calendly scam as well. In that case, one of the CoinGecko employees clicked on a deceptive Calendly link, granting unauthorized access to the attacker and allowing them to use the employee's account to post on behalf of CoinGecko.