The cross-chain decentralized exchange WOOFi has fallen prey to malicious actors who exploited a flash loan vulnerability, resulting in losses exceeding $8 million. The project’s team has suspended activities in the affected pools while conducting thorough investigations.
At 15:49 UTC, one of the WOOFi oracles on Arbitrum was exploited by a contained attack using flash loans, which manipulated the price of WOO in order to repay the flash loans at a cheaper price. (1/2) https://t.co/jlk7fb0trw
— WOOFi (@_WOOFi) March 5, 2024
WOOFi operates as a DeFi protocol facilitating cross-chain swaps, token staking, and yield farming across 11 blockchain networks, including Ethereum, Arbitrum, Optimism, Polygon, Avalanche, BNB Chain, Fantom, among others. The platform leverages the Woo Network, a liquidity infrastructure connecting traders, exchanges, institutions, and DeFi protocols, with its operations powered by the WOO token.
According to ongoing probes by the WOOFi team, the attacker exploited an oracle on Arbitrum, impacting the WooPPV2 contract. The breach involved a “contained” flash loan attack aimed at manipulating the price of WOO token, with the loan being repaid amidst a price downturn.
Following initial alerts from X accounts Spreek and PeckShield, WOOFi halted its pools and initiated a thorough investigation. As of now, the attacker has siphoned approximately 2,000 ETH worth of funds.
#PeckShieldAlert @_WOOFi has been exploited for ~$8m. The exploiter 0x9961…81c4 has transferred ~2K $ETH to 0xb59d…29Adhttps://t.co/eIPn0iaPyL https://t.co/yGEPjZQrqY pic.twitter.com/FcHDmuZOaL
— PeckShieldAlert (@PeckShieldAlert) March 5, 2024
Although the investigation is ongoing, WOOFi reassures users that their current assets in Earn vaults, WOOFi stake, and other WOO contracts are not at risk.
WOOFi, working with several close partners, paused the respective contracts at 16:02 UTC while an investigation began. The impact is currently limited, there is no risk to the current user assets in Earn vaults, WOOFi stake, or other WOO contracts.
More updates to come. (2/2)
— WOOFi (@_WOOFi) March 5, 2024
The WOO token’s value has been impacted by the attack, with its price plummeting to $0.54, reflecting a 5.7% decline over the past 24 hours.
Moreover, WOOFi’s total value locked (TVL) has decreased from $53.36 million to $44.3 million within the same timeframe.
Despite the losses, malicious actors continue to target WOO users through an impersonator X account. Shortly after the attack, the WOOFi team warned users about this account, falsely claiming to be the project’s official handle and urging users to revoke approvals to prevent fund loss, leading to phishing attempts.
WOOFi’s $8M breach adds to the list of notable hacks within the crypto industry since the beginning of the year.