Vulnerability in Base Lending Contracts Results in $1 Million Theft

An exploit in uncertified lending contracts of the L2 network Base has led to the theft of over $1 million. The incident was reported by the security firm Cyvers Alerts.

?ALERT?Our system detected multiple suspicious transactions involving unverified lending contracts on #Base a few hours ago.

The attacker initially made a suspicious transaction, gaining approximately $993K from these unverified contracts. Most of these tokens were swapped and… pic.twitter.com/FRo5gVhxCc

— ? Cyvers Alerts ? (@CyversAlerts) October 25, 2024

The perpetrator exploited a vulnerability in smart contracts associated with WETH. After successfully manipulating the price oracle, they withdrew $993,000.

Approximately $202,000 was sent to Tornado Cash. The attack was then repeated, causing additional damage of $455,127.

“The oracle used by these contracts is unreliable. It relies solely on a single pair with limited liquidity of $400,000, making it susceptible to price fluctuations that can be manipulated,” explained senior security specialist at Cyvers Alerts, Hakan Unal.

To prevent such incidents, it is necessary to use reliable, diversified oracles with high liquidity, the expert noted.

The perpetrator managed to escape with the stolen assets, and their identity remains unknown. Responsibility for the incident will fall on the organization managing the lending protocols, Unal added.

Earlier in October, the lending protocol Radiant Capital was hacked in the BNB Chain and Arbitrum networks for over $50 million.