$8.75m Flash Loan Attack on WOOFi Swap; 10% Bounty Available for Negotiation

In a recent hacking incident, hackers managed to exploit the sPMM algorithm, the core of the WOOFi Swap price mechanism on the Arbitrum network. Using a clever strategy involving flash loans, they were able to manipulate the value of WOO tokens, causing the token value to plummet almost to zero. However, the WOOFi team swiftly took action and prevented the stolen amount from increasing further, stopping it at $8.5 million.

Independent investigator Spreek discovered the unusual transactions and immediately alerted the WOOFi team. In response, the team temporarily paused the affected pools and assured users that they would be fully functional again within two weeks.

The hackers employed a specific tactic to attack the pool. They borrowed 7.7 million WOO and other assets, selling the WOO tokens to WOOFi. This caused WOOFi’s sPMM to incorrectly adjust the price of WOO to an extremely low value. The hackers then swapped out 10 million WOO in the same transaction with minimal cost. They repeated this attack three times in a short period, resulting in profits of around $8.75 million after returning the flash loans.

This breach marks the first major issue for WOOFi since its launch in 2021. The integration of lending markets for WOO in Arbitrum, coupled with the relatively low liquidity elsewhere, created an opportunity for the hackers. However, the absence of the WOO token and WOO lending market on other chains acted as a barrier to reproducing the exploits.

The WOOFi team is currently working diligently to recover the lost funds. They have offered a 10% white hat bounty to the hacker and initiated negotiations through an on-chain message. Additionally, a bounty has been placed on Arkham Intelligence for any valuable information leading to the identification of the hackers.

Stay tuned for further updates as the investigation progresses.