WOOFi Swap Exploited With $8.75m Flash Loan Attack; 10% Bounty Offered for Negotiation

  coinpedia.org 3 h

Hackers, in their latest spree hacked the sPMM algorithm, the core of the WOOFi Swap price mechanism on the Arbitrum network on March 5th using a smart pattern of flash loans to severely manipulate the value of WOO tokens, sending the token value too low nearly to zero. Swift action from the team just within 13 minutes, stopped the stolen amount to $8.5 Million from further increasing.

Independent on-chain investigator, Spreek found the unusual transactions and immediately notified the WooFiteam. As a response, the team paused the affected pools and promised to bring them back fully functional within two weeks.

Heads up: we’ve paused these pools. We will follow up shortly with more updates. https://t.co/BlGEo3iYUf

— WOOFi (@_WOOFi) March 5, 2024

Hackers tactics in attacking the pool

According to the post-mortem released by the team, The exploiter borrowed 7.7 Million WOO as well as some other assets and sold the WOO into WOOFi. At this point, WOOFi’s sPMM incorrectly adjusted WOO to an extreme price which was close to zero.

The exploiter then swapped out 10M WOO in the same transaction with almost no cost. The exploiter repeated this attack 3 times within a very short period, which netted about $8.75m in profits after returning the flash loans.

WooFi faces first breach since its release

Unlike the rest of WOOFi so far has not had any problems despite its launch in 2021, things were different in this latest development. The integration of lending markets for WOO in Arbitrum along with the relatively low levels of liquidity elsewhere created an opportunity for the hacking.

Even though WOOFiSwap was deployed across 10+ networks, the nonexistence of both the WOO token and the WOO lending market in other chains worked as a barrier to reproducing the exploits.

3/ We have already initiated efforts to retrieve these funds, with a 10% whitehat bounty extended to the exploiter. Additionally, a bounty has been placed on @ArkhamIntel for anyone who can provide additional information.https://t.co/oSG0CQa4oP

— WOOFi (@_WOOFi) March 5, 2024

Conclusion:

As of writing the team is putting huge efforts to recover the lost funds. With a generous 10% white hat bounty, they have sent an on-chain message to the hacker for negotiation. Together with that, a bounty has been placed on Arkham Intelligence for any valuable information leading to hackers.

Stay tuned for more information as the investigation unfolds!

Source