WOOFi Swap Hack: Flash Loan Exploit Steals $8.5 Million in WOO Tokens

The post WOOFi Swap Hack: Flash Loan Exploit Steals $8.5 Million in WOO Tokens appeared first on Coinpedia Fintech News

Hackers executed a sophisticated attack on the sPMM algorithm, the heart of WOOFi Swap’s price mechanism on the Arbitrum network on March 5th. Employing a clever pattern of flash loans, they deftly manipulated the value of WOO tokens, driving it perilously close to zero.

But swift action from the WOOFi team, within a mere 13 minutes, curtailed the stolen amount at $8.5 million, preventing further escalation.

Understanding Exploiter’s Tactics

Independent on-chain investigator, Spreek, detected the unusual transactions and promptly alerted the WooFi team.

Wootrade's WooPPV2 contract exploited for a total attacker haul of 8.5m on arbitrum. It is now paused, so no further action is needed.

(Deleted the previous post because it was spreading misinfo. I regret the error) pic.twitter.com/BJCLTeKEYu

— Spreek (@spreekaway) March 5, 2024

In response, the team temporarily halted the affected pools, assuring users of a fully functional return within two weeks.

Heads up: we've paused these pools. We will follow up shortly with more updates. https://t.co/BlGEo3iYUf

— WOOFi (@_WOOFi) March 5, 2024

According to the team’s post-mortem analysis, the exploiter borrowed 7.7 million WOO and other assets, selling the WOO into WOOFi. This action led to an erroneous adjustment in WOOFi’s sPMM, drastically reducing the WOO token’s value to near-zero.

Did You Know? Crypto Hack Round-up: Industry Loses $67 Million in February 2024

Striking Gold – Thrice!

Exploiting the glitch, the attacker exchanged 10 million WOO in the same transaction at almost no cost. This relentless assault was repeated three times in quick succession, yielding a staggering $8.75 million in profits after repaying the flash loans.

Moving Away from Stability

Unlike its uneventful journey since the 2021 launch, WOOFiSwap faced unprecedented challenges in this latest ordeal. The integration of lending markets for WOO in Arbitrum, coupled with limited liquidity elsewhere, presented a golden opportunity for hacking.

Despite being deployed across 10+ networks, the absence of both the WOO token and the WOO lending market in other chains acted as a crucial barrier, preventing the replication of the exploits.

3/ We have already initiated efforts to retrieve these funds, with a 10% whitehat bounty extended to the exploiter. Additionally, a bounty has been placed on @ArkhamIntel for anyone who can provide additional information.https://t.co/oSG0CQa4oP

— WOOFi (@_WOOFi) March 5, 2024 On the Road to Recovery

As of now, the WOOFi team is tirelessly working to recover the lost funds. Offering a substantial 10% white hat bounty, they have initiated on-chain negotiations with the hacker. Simultaneously, a reward has been posted on Arkham Intelligence for any valuable information leading to the identification of the hackers.

Read More: Crypto Hacks of the Week: Breaches, Scams, and Rug Pulls Rock the Market

What next? Stay tuned.