WooFi Flash Loan Attack - March 5, 2024
What Happened
WooFi, a cross-chain decentralized exchange on Arbitrum, suffered a flash loan attack resulting in approximately $8.5 million in losses. The exploit was detected and contracts were paused within 13 minutes, though the attacker successfully escaped with a substantial amount of ETH.
Technical Root Cause
According to WooFi's post-mortem analysis, the vulnerability existed in the sPMM (Simplified Proactive Market Making) system. The protocol's oracle price adjustment mechanism, designed to manage slippage and balance pools, contained a critical flaw: "an error led to a price adjustment outside the expected range and the fallback check, normally executed against Chainlink and didn't cover the WOO token price."
The recent addition of a WOO lending market on Arbitrum, combined with relatively low liquidity for WOO tokens on the network, made exploitation economically viable.
Attack Vector/Exploit Steps
1. Flash Loan Initiation: Attacker obtained a flash loan to manipulate market conditions
2. Price Manipulation: Used the loan to artificially adjust the WOO token price through the vulnerable oracle
3. Pool Drainage: Executed three separate swap transactions targeting the WooPPV2 pool contract
4. Loan Repayment: Repaid the flash loan at the manipulated (cheaper) price, pocketing the difference
Financial Impact
• Total Loss: $8.5 million
• Detection Time: 13 minutes
• Primary Asset Stolen: ETH
Key Addresses & Transactions
| Item | Address/Hash |
|---|---|
| Attacker Address | 0x9961190b258897bca7a12b8f37f415e689d281c4 |
| Attack Transaction | 0x40e1b8c78083fc666cb7598efcecd0ae0af313fc41441386e4db716c2808ce07 |
| Attack Contract | 0xd4c633c9a765bc690e1fba566981c1f4eab52df0 |
| Stolen Funds Destination | 0xb59d04d9957c9e266dff5c4173d4d2324eb029ad |
Remediation
WooFi responded by:
• Immediately pausing affected pools within 13 minutes
• Sending an onchain message to the attacker offering a 10% bounty, assuming the exploit was executed by a whitehat researcher
• Publishing a detailed post-mortem analysis
Additional Context
• Prior Audit: Certik audited WooFi's swap and oracle contracts in October 2022
• Bug Bounty Program: Immunefi hosted a bug bounty (2022-2023) that covered oracle manipulation and flash loan attacks
• Platform Launch: WooFi deployed to Arbitrum in November 2022
• 2024 Arbitrum Attack Trend: This was the third major Arbitrum protocol attack in early 2024, following Radiant Capital and Gamma Strategies exploits