WOOFi confirms $8.75 million exploit on its Arbitrum market

WOOFi confirms $8.75 million exploit on its Arbitrum market

By Benson Toti - min read
  • WOOFi has released a post-mortem report confirming an $8.75 million exploit on its lending market on Arbitrum.
  • The decentralized exchange has offered a 10% whitehat bounty to the attacker.

Decentralized exchange WOOFi suffered an $8.75 million exploit that targeted its lending market on Arbitrum, according to a report the platform released on Wednesday.

In a post-mortem report, the WOOFi team noted that the attacker manipulated its Synthetic Proactive Market Making (sPMM) algorithm.

After pausing the manipulated contracts, an investigation into the attack revealed the hacker carried out a series of flash loan attacks, starting at around 15:49 UTC on March 5.

“The exploit consisted of a sequence of flash loans that took advantage of low liquidity to manipulate the price of WOO in order to repay the flash loans at a cheaper price,” the team noted.

During the attack, the exploiter borrowed approximately 7.7 million WOO tokens as well as other cryptocurrencies. They then sold these tokens into WOOFi, causing the sPMM to incorrectly adjust WOO token’s price to near zero.

With the anomalous pricing in place, the attacker proceeded to quickly swap out 10 million WOO three times.

While various blockchain security platforms, including PeckShield, Chainalysis, Hypernative, and Wintermute swiftly picked up the exploit, the attacker had already made off with $8.75 million in profits.

WOOFi offers 10% whitehat bounty

WOOFi is offering an 10% whitehat bounty to the attacker as efforts to recover the funds continue. The platform has also initiated bounty on Arkham Intelligence.

Meanwhile, the exchange says its WOOFi Pro, Stake, and Earn services were not affected and remain “fully operational.”

The WOOFi team posted on X:

 

WOO price fell sharply after the attack, from around $0.59 to lows of $0.48. The token’s value changed hands at $0.52 at the time of writing.