Weekly Highlight: The WOOFi Hack Explain

Summary

The recent attack on WOOFi, a decentralized application built by WOO, has raised concerns in the decentralized finance (DeFi) space. The attacker manipulated the WOOFi swap contract, resulting in approximately $9 million in losses. This blog post delves into the details of the attack, examining the attacker's behavior and the vulnerability exploited.

  • Project: WOOFi

  • Chain: Arbitrum

  • Attacker: 0x9961190B258897BCa7a12B8f37F415E689D281C4

  • Tx attack: 0xe80a16678b5008d5be1484ec6e9e77dc6307632030553405863ffb38c1f94266

  • Attacked contract: 0xeff23b4be1091b53205e35f3afcd9c7182bf3062

Deep Dive Understanding

Attacker Behavior

Preparing stage:

  • The attacker initiated the attack by obtaining funds through flash loan.

  • The acquired funds totaled 10,504,796 USDC.e and 2,721,172 WOO.

  • The attacker collateralized the 7,000,000 USDC.e in Slio Finance to borrow 5,092,663 WOO using the collateralized USDC.e.

Price manipulation WOO token:

  • Utilizing 300,000 USDC.e, the attacker executed multiple swap operations within WOOFi's swap function. It raised WOO price from 56,884,100 to 60,400,479.

  • The actual attack occurred when the attacker swap back 8,196,117 WOO for USDC.e. This led to drop the price of WOO, reaching 0.00000007, an 8.62 million times.

Finally, the attacker used a small USDC.e to gain more than 8,574,462 WOO via swap. The attacker then repaid the initially borrowed funds, ultimately cashing out and absconding with the drained funds.

Vulnerability Analysis

Examination of the contract code revealed a flaw in the price data processing mechanism during the conversion of BaseToken to QuoteToken, _calcBaseAmountSellQuote function.

The main vulnerability in model is direct calculating the amount by multiplying and dividing based on the price, so that there is no slippage in the exchange process but the price will change with the rate.

The WOOFi team promptly addressed the issue by removing the constant coefficient, as evidenced by the commit on their GitHub repository.

Patched Commit f5fe28...

Conclusion

In conclusion, the attack on WOOFi highlights the vulnerabilities that can arise from flaws in economic model calculations within decentralized applications. The attacker's manipulation of token prices and subsequent draining of funds underscores the importance of robust security measures in DeFi projects.

Subscribe now

The Verichains team regularly updates the most recent vulnerabilities discovered in projects they have assessed and those they are presently auditing, as well as information from the blockchain security community.

Source
Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.
Like
Add to Favorites
Comments
Relevant content