On March 5th, 2024, WOOFi Swap, a decentralized exchange (DEX), encountered a security exploit on the Arbitrum network. While concerning, this incident serves as an opportunity for the Web3 community to learn, adapt, and strengthen its security posture. Let’s delve into the details of the incident and the actions taken.
The Exploit
The exploit targeted WOOFi’s unique synthetic proactive market-making (sPMM) algorithm, which simulates the platform’s order book depth and prices. The attacker borrowed significant amounts of WOO and other assets through flash loans, manipulating the sPMM algorithm by flooding the market with WOO. This manipulation caused the WOO price to plummet, enabling the attacker to buy back a large quantity of WOO at a meager price, ultimately leading to a loss of approximately $8.75 million.
A look at the attacker’s wallet using Arbitrum Scan
Within WOOFi v2’s design, the sPMM dynamically adjusts the oracle price based on the notional value of user trades. This helps manage slippage and maintain pool balance. Unfortunately, an unforeseen error caused the price adjustment to deviate significantly from the expected range (down to $0.00000009).
The recent introduction of a WOO lending market on Arbitrum and relatively low WOO token liquidity on other networks created the conditions that made this exploit financially viable.
Response and Mitigating Measures
WOOFi’s internal monitoring systems and external security partners promptly detected the exploit. By 4:02 PM UTC, WOOFi Swap’s smart contracts were paused to prevent further losses and safeguard user funds. This decisive action demonstrates the importance of robust monitoring and swift responses in mitigating security threats.
Impact
The exploit incident was isolated to WOOFi Swap v2 on the Arbitrum network. WOOFi’s other products, including WOOFi Pro, Stake, and Earn, remain fully operational and unaffected.
WOOFi is actively addressing the sPMM algorithm vulnerability to prevent similar exploits in the future. WOOFi aims to redeploy a secure version of WOOFi Swap v2 within two weeks.
Furthermore, WOOFi is actively seeking the return of stolen funds through a 10% bounty offered to the exploiter and a separate bounty for information leading to recovery.
Conclusion
The WOOFi Swap incident underscores the importance of continuous vigilance and proactive security measures in the ever-evolving Web3 landscape.
About Olympix
Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.
Join our beta program to fortify your smart contracts and proactively shield them from exploits in the evolving Web3 security landscape.
Connect with us on:
Twitter | LinkedIn | Discord | Medium | Instagram | Telegram | Substack
