-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* 2024-03-05-WooFi * fixes * fixes * 2024-03-04-OrdiZK * 2024-03-04-OrdiZK.md * remove ordizk * grammar, style, and formatting fixes --------- Co-authored-by: Evgeny Dmitriev <[email protected]>
- Loading branch information
1 parent
4f90324
commit 45ea646
Showing
1 changed file
with
40 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| --- | ||
| date: 2024-03-05 | ||
| target-entities: WOOFi | ||
| entity-types: | ||
| - DeFi | ||
| - Exchange | ||
| attack-types: | ||
| - Smart Contract Exploit | ||
| - Flash Loan | ||
| title: "The WOOFi suffered a flash loan exploit on Arbitrum" | ||
| loss: 7969434 | ||
| --- | ||
|
|
||
| ## Summary | ||
| On March 5th, WOOFi Swaps' sPMM algorithm was exploited on the Arbitrum network. The attacker used a sequence of flash loans to manipulate the price of the WOO token due to low liquidity. The exploit occurred due to a combination of the sPMM algorithm vulnerability, incorrect price adjustment, and a failure in the fallback check mechanism. The attacker was able to use flash loans to manipulate the price of WOO and drain funds from the affected pool. WOOFi has initiated efforts to recover the funds and offered a 10% white hat bounty to the exploiter. | ||
|
|
||
| ## Attackers | ||
| The attacker market as WOOFi Exploiter 1. The hacker used the following addresses to exploit and transfer the funds: | ||
| - Arbitrum: | ||
| - [0x9961190B258897BCa7a12B8f37F415E689D281C4](https://arbiscan.io/address/0x9961190B258897BCa7a12B8f37F415E689D281C4) - WOOFi Exploiter 1 | ||
| - Funds Holder Address | ||
| - [0xb59d04d9957C9e266dfF5c4173D4d2324Eb029Ad](https://arbiscan.io/address/0xb59d04d9957c9e266dff5c4173d4d2324eb029ad) - WOOFi Exploiter 2 | ||
| - Affected pool | ||
| - [0xeff23b4be1091b53205e35f3afcd9c7182bf3062](https://arbiscan.io/address/0xeff23b4be1091b53205e35f3afcd9c7182bf3062) - WooPPV2 | ||
|
|
||
| ## Losses | ||
| The WooFi lost around 7.9 million USD worth 2,223.1 ETH. The stolen funds still remain in attackers' addresses, major part on the Arbitrum chain (2023 ETH), rest part on the Ethereum chain (199 ETH) as of Mar 7,2024. | ||
|
|
||
| ## Timeline | ||
| - **March 5, 2024, 15:42 PM UTC:** The attacker did first malicious [transaction](https://arbiscan.io/tx/0x57e555328b7def90e1fc2a0f7aa6df8d601a8f15803800a5aaf0a20382f21fbd) | ||
| - **March 5, 2024, 16:03 PM UTC:** The X account named @spreekaway posted about incident. | ||
| - **March 5, 2024, 16:08 PM UTC:** The exploiter started [transferring](https://arbiscan.io/tx/0x5e78f19a01c16a0b3dff180e0372457d72c6d5c76b13a1f91529a405166179d1) stolen funds to the Ethereum chain using via Stargate Router. | ||
| - **March 5, 2024, 16:12 PM UTC:** The WOOFi [posted](https://twitter.com/_WOOFi/status/1765047837727891853) on the X account about they paused affected pools. | ||
| - **March 5, 2024, 16:37 PM UTC:** PeckShield is a blockchain security company, [posted](https://twitter.com/PeckShieldAlert/status/1765054155478175943) on X, that WOOFI has been exploited. | ||
| - **March 5, 2024 18:40 PM UTC:** The WooFi sent [on-chain message](https://etherscan.io/tx/0x45fb400b3cd1a4b04d8e26fa8e5b5fc92003aadf28a000b9c0766c9a408a4af8) to the hacker offering white hat bounty 10% of the stolen funds white hat bounty. | ||
|
|
||
| ## Security Failure Causes | ||
| **Price Calculation Issue:** The primary cause of the security failure was an exploit of the sPMM algorithm that controls the pricing on WOOFi Swaps. The attacker used flash loans to manipulate the price of WOO, taking advantage of low liquidity. WOOFi's sPMM algorithm incorrectly adjusted the WOO price to an extreme value close to zero. This allowed the attacker to swap out 10 million WOO in the same transaction with almost no cost. | ||
|
|
||
| **Fallback Check Failure:** The fallback check, which is usually executed against Chainlink, did not cover the WOO token price, allowing the attacker to drain funds from the Woo pool contract (WooPPV2). |