In March 2024, WOOFi suffered a price manipulation attack on its Arbitrum-based WOOFi Swap contract. The attacker took advantage of errors in the project’s synthetic proactive market making (sPMM) algorithm to make an estimated $8.75M in profits.
Inside the Attack
WOOFi includes an sPMM, which is designed to imitate how orderbooks look (price, spread, depth, etc.) on a centralized exchange. This sPMM has the ability to change the price provided by an oracle to protect against slippage and help to balance the pool.
The attacker manipulated this functionality via a flashloan exploit. They borrowed an estimated 7.7 million WOO tokens and sold them into the pool, triggering the sPMM to adjust the price of WOO tokens to nearly zero ($0.00000009). The fallback check for token prices — which uses Chainlink — didn’t include the WOO token price.
With this lower price, the attacker was able to swap approximately 10 million WOO tokens for next to nothing. After repeating this process three times within 13 minutes, the attacker was able to build up net profits of approximately $8.75 million after they paid back their flashloans.
According to WOO, this vulnerability largely existed due to the expansion of its platform to include a lending market on the Arbitrum blockchain. The unique combination of a WOO token and a WOO lending market was what made this exploit of the sPMM possible.
The large swaps on its platform were quickly detected by WOOFI’s transaction monitoring system; however, the speed of the attack enabled the hacker to steal significant amounts of crypto from the platform. The WOOFi Swap v2 contract was frozen for an estimated two weeks as the team made edits to fix the issue.
Lessons Learned from the Attack
The WOOFi hack demonstrates the potential impacts of environmental factors on smart contract security. In the case of the WOOFi sPMM, the same functionality — which did contain a vulnerability — has been in operation with no issues since 2021. To exploit it, the attacker needed the combination of a low-liquidity asset, a WOO lending market on Arbitrum, and WOO tokens being relatively rare on the platform. However, when this combination came into being, an attacker was able to drain about $8.75 million from the platform in minutes.
Ideally, vulnerabilities like the one exploited by the WOOFi attacker would be found and fixed before launch, rather than relying on the absence of the right conditions for exploitation. To learn more about protecting your DeFi project against attack, get in touch with Halborn.