WOOFi Swap Hack: Flash Loan Exploit Results in Theft of $8.5 Million Worth of WOO Tokens
A group of hackers launched a highly sophisticated attack on the sPMM algorithm, which is the core of WOOFi Swap’s price mechanism on the Arbitrum network, on March 5th. Through a clever use of flash loans, they skillfully manipulated the value of WOO tokens, causing it to plummet dangerously close to zero.
However, the WOOFi team took swift action and managed to limit the stolen amount to $8.5 million within just 13 minutes, preventing further damage.
An independent investigator called Spreek detected the unusual transactions and immediately alerted the WOOFi team. The exploiter had taken advantage of Wootrade’s WooPPV2 contract, resulting in a total haul of $8.5 million on Arbitrum. The contract has now been paused, eliminating the need for any further action.
In response to the attack, the WOOFi team temporarily halted the affected pools and assured users that normal functionality would be restored within two weeks.
According to the team’s analysis, the exploiter borrowed 7.7 million WOO tokens and other assets, selling the WOO into WOOFi. This manipulation caused a significant drop in the value of the WOO token within WOOFi’s sPMM.
Taking advantage of this glitch, the attacker exchanged 10 million WOO tokens in the same transaction at a minimal cost. This attack was repeated three times in quick succession, resulting in a staggering profit of $8.75 million after repaying the flash loans.
Unlike its relatively smooth journey since its launch in 2021, WOOFiSwap faced unprecedented challenges during this attack. The integration of lending markets for WOO on Arbitrum, combined with limited liquidity elsewhere, created an opportunity for hackers.
However, the absence of the WOO token and the WOO lending market on other chains acted as a crucial barrier, preventing the replication of the exploits.
The WOOFi team is currently working tirelessly to recover the lost funds. They have offered a generous 10% white hat bounty and have initiated on-chain negotiations with the hacker. Additionally, a reward has been posted on Arkham Intelligence for any valuable information that can help identify the hackers.
The WOOFi team urges users to stay tuned for further updates on the situation.