WOOFi DeFi Platform Suffers $8.75 Million Loss in Cyber Attack

The team behind the decentralized exchange WOOFi has reported an exploit of its swap service on the Arbitrum L2 network, resulting in a loss of $8.75 million.

Earlier today we identified an exploit of WOOFi Swap on Arbitrum. Within 13 minutes, the threat had been contained and we marked all other WOO contracts as safe. Linked below is a post-mortem detailing today’s events. (1/6)https://t.co/igDaOMgyCP

— WOOFi (@_WOOFi) March 5, 2024

The hacker borrowed approximately 7.7 million WOO tokens and other assets through flash loans. 

The attacker manipulated the price within the Synthetic Proactive Market Making mechanism (the platform’s AMM) by exploiting low liquidity, causing the token’s value to plummet to nearly zero. Subsequently, they exchanged 10 million WOO on the platform “at virtually no cost.” 

The hacker repeated the attack three times within a “short period.” After repaying the flash loans, their profit amounted to about $8.75 million.

According to the statement, the exploit was swiftly detected by the exchange’s internal monitoring system and partners such as Hypernative, Chainalysis, and Wintermute.

The developers suspended the Swap smart contract and initiated an investigation.

“Other WOOFi contracts, including Stake, Earn, and Pro, were not affected and remain fully operational. If any investors wish to withdraw funds, they can do so as usual,” they assured.

The team noted that Swap is supported across more than 10 networks, but none have a lending market like Arbitrum. Combined with the low liquidity of WOO on the L2 protocol, this made the attack economically viable for the hacker.

The attacker was offered a 10% reward for returning the stolen funds. Arkham Intelligence expressed willingness to pay for information about the perpetrator.

WOOFi developers are making changes to the Swap contract and expect to complete all necessary tests within two weeks.

“We will work with leading cybersecurity firms to ensure vulnerabilities are identified at an earlier stage. This is the first incident of its kind for us, and we want to ensure it does not happen again,” the statement reads.

In February, losses from hacks and fraud in crypto projects fell to $67 million, with all major incidents linked to the DeFi sector.