Full Report
Woo is some sort of finance platform that is on various blockchains. Recently, they had deployed everything on Arbitrum. WOOFi has a system that adjusts the oracle prices based on trade value. By using oracle manipulation within a low-liquidity environment, it was possible drop the price of the asset to steal funds. The attacker borrowed 7.7M WOO then sold the WOO into WOOFi. Now, the algorithm for the price incorrectly created an extreme price close to zero. From there, an attacker swapped out 10M WOO for almost nothing in USDC. They did this 3 times in order to make a large profit of about 8.75M. Instead of using a standard Automated Market Maker (AMM), they used their special sPMM (synthetic proactive market maker). Within their protocol, the error resulted in this going outside of the range to $0.00000009. In theory, a fallback should execute Chainlink but the threshold wasn't reached, resulting in this major issue. A few things stood out to me and rekt.news. First, going to different chains doesn't come without any risk. Having low liquidity can be an issue for these types of attacks. Second, things that are not battle tested and well audited shouldn't have millisions in them.
Analysis Summary
# Incident Report: WOOFi sPMM Oracle Manipulation Exploit
## Executive Summary
On March 5, 2024, the WOOFi finance platform on the Arbitrum network was exploited for approximately $8.75 million. The attacker utilized flash loans and a price manipulation technique targeting WOOFi’s proprietary Synthetic Proactive Market Maker (sPMM) algorithm. By exploiting low liquidity and an edge-case error in the pricing adjustment logic, the attacker dropped the price of the WOO token to near zero, allowing for the theft of assets.
## Incident Details
- **Discovery Date:** March 5, 2024, 16:02 UTC
- **Incident Date:** March 5, 2024, 15:49 UTC
- **Affected Organization:** WOOFi (WOO Network)
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Distributed (Blockchain-based)
## Timeline of Events
### Initial Access
- **Date/Time:** March 5, 2024, 15:49 UTC
- **Vector:** Flash Loan / Smart Contract Exploitation
- **Details:** The attacker initiated a sequence of flash loans on the Arbitrum network, borrowing ~7.7M WOO tokens and other assets to provide the necessary capital for market manipulation.
### Lateral Movement
- **Not Applicable:** The attack was a direct interaction with smart contracts (WOOFi Swap v2) rather than a breach of internal corporate networks.
### Data Exfiltration/Impact
- **Financial Loss:** The attacker executed the swap manipulation three times in quick succession. By crashing the WOO price to $0.00000009, they were able to swap 10M WOO tokens for USDC at virtually no cost, netting approximately $8.75 million in illicit profit after repaying flash loans.
### Detection & Response
- **15:49 UTC:** Attack begins.
- **Immediate:** Internal monitoring systems and external partners (Hypernative, Chainalysis, Wintermute) detected anomalous large swaps.
- **16:02 UTC:** WOOFi paused the Swap smart contracts (13 minutes after the start of the exploit).
- **Post-Incident:** Investigation launched; 10% whitehat bounty offered to the exploiter; Arkham Intelligence bounty posted for identification.
## Attack Methodology
- **Initial Access:** Smart contract interaction via flash loans.
- **Discovery:** The attacker identified a vulnerability in the sPMM algorithm where trade volume could push prices outside expected bounds in low-liquidity environments.
- **Impact:**
- **Oracle Manipulation:** Sold a large volume of WOO into the sPMM.
- **Logic Flaw:** The sPMM incorrectly adjusted the price to an extreme low ($0.00000009).
- **Fallback Failure:** A fallback check against Chainlink prices existed but was notably absent for the WOO token itself, allowing the manipulated price to persist.
## Impact Assessment
- **Financial:** Estimated loss of $8.75 million USD.
- **Data Breach:** None (No PII or private data compromised).
- **Operational:** WOOFi Swap v2 was paused globally for at least two weeks; other services (Stake, Earn, Pro) remained operational.
- **Reputational:** Significant public visibility via rekt.news and security partners; first major exploit in the protocol's history since 2021.
## Indicators of Compromise
- **Behavioral Indicators:**
- Unusual flash loan activity involving WOO tokens on Arbitrum.
- WOO price deviation to $0.00000009 within the WOOFi sPMM.
- Repetitive, highly profitable swaps within the same or subsequent blocks.
## Response Actions
- **Containment:** WOOFi Swap smart contracts were paused within 13 minutes of the breach.
- **Eradication:** Investigation into the sPMM codebase to identify why the pricing algorithm failed to bound the adjustment.
- **Recovery:** Initiated recovery efforts via Arkham Intelligence and a 10% whitehat bounty offer. Planned redeployment of WOOFi Swap v2 after fresh audits.
## Lessons Learned
- **Cross-Chain Risk:** Deploying on new chains (like Arbitrum) introduces unique risks, particularly regarding asset liquidity and the availability of lending markets that facilitate flash loans.
- **Oracle Fallbacks:** Fallback mechanisms (e.g., Chainlink) must be comprehensive and cover all tradable assets, including the platform's native token.
- **Liquidity Sensitivity:** Protocols relying on custom market-making algorithms must stress-test for low-liquidity scenarios where slippage calculations can be pushed to mathematical extremes.
## Recommendations
- **Comprehensive Oracle Coverage:** Ensure all assets are validated against decentralized price feeds (like Chainlink) with strict deviation thresholds.
- **Enhanced Guardrails:** Implement "circuit breakers" that automatically pause contracts if a trade results in a price movement exceeding a specific percentage (e.g., >10%).
- **Continuous Auditing:** Conduct specialized audits when porting existing code to new environments or adding new lending markets for platform assets.