WOOFi sPMM exploit post-mortem

WOOFi sPMM exploit post-mortem

A brief incident recap

At 15:49 UTC on March 5th, the sPMM algorithm that controls the pricing on WOOFi Swaps was exploited on Arbitrum. The exploit consisted of a sequence of flash loans that took advantage of low liquidity to manipulate the price of WOO in order to repay the flash loans at a cheaper price.

The exploiter borrowed ~7.7M WOO as well as some other assets and sold the WOO into WOOFi. At this point WOOFi’s sPMM incorrectly adjusted WOO to an extreme price which was close to zero, and the exploiter then swapped out 10M WOO in the same transaction with almost no cost. The exploiter repeated this attack 3 times within a very short period of time, which netted about $8.75m in profits after returning the flash loans.

The exploit was immediately picked up by several teams, including Hypernative, Chainalysis, Wintermute, and many members of the Security Alliance (SEAL911). The large swaps had also been picked up by WOOFi’s internal transaction monitoring system, and by 16:02 UTC, WOOFi Swap’s smart contracts had been paused, and a full investigation had begun.

About synthetic proactive market making (sPMM)

WOOFi’s sPMM algorithm differs from conventional AMMs in that it works in tandem with WOOFi's on-chain oracles to simulate the price, spread, and depth of the orderbook on centralized exchanges. 

In WOOFi v2’s design, the sPMM will override the oracle price according to the notional value of users’ trades in order to adjust slippage and keep the pools in a more balanced state. Unfortunately, a previously unidentified error resulted in the price being adjusted far outside of the expected range ($0.00000009), and the fallback check, normally executed against Chainlink, didn’t cover the WOO token price.

Since first launching in 2021, WOOFi’s sPMM had been incident-free, largely due to a conservative approach to listing new assets. Initiating this exploit with major assets like ETH would be nearly impossible. However, the recent addition of a lending market for WOO on Arbitrum, plus relatively low liquidity support for WOO tokens elsewhere on the network, made the exploit economically feasible. WOOFi Swap is deployed on 10+ networks, but no other network had both the WOO token and a WOO lending market, which prevented the same exploit from being replicated.  

Other WOOFi contracts, including WOOFi Stake, Earn, and Pro, were unaffected and remain fully functional. Should any WOOFi Earn depositors wish to withdraw any funds, they can do so as usual. 

Next steps for WOOFi Swap

Efforts to recover these funds have already been initiated, with a 10% whitehat bounty extended to the exploiter. Additionally, a bounty has been placed on Arkham Intelligence for anyone who can provide additional information. We can be reached at woofi-bounty@woo.org

While we fix the contract and secure additional audits, WOOFi Pro, Stake, and Earn remain unaffected and fully operational. Our goal is to resolve the issue with WOOFi Swap v2 and redeploy within 2 weeks, while continuing our plan to release the v3 version later this spring. We will work with top security firms to ensure these vulnerabilities are identified at an earlier stage. This is the first time an incident like this has happened to us, and we want to make sure it doesn't happen again.

On that note, special thanks must be extended to all the parties that worked to support us, including:

Читать далее
Интеграция WOO X и WunderTrading — залог успешного копи-трейдинга и оптимального ценового исполнения

Интеграция WOO X и WunderTrading — залог успешного копи-трейдинга и оптимального ценового исполнения

Данная интеграция даст возможность пользователям WunderTrading торговать многими криптовалютами непосредственно с платформы WunderTrading. Бонусами в данном случае станут продвинутые трейдинговые инструменты WOO X, а также глубокая ликвидность и нулевые комиссии криптобиржи Теперь опытные трейдеры могут наслаждаться отличной реализацией функции копи-трейдинга и приятными ценовыми исполнениями сделок. Это стало реальностью благодаря интеграции WOO X и WunderTrading — трейдингового программного о

Стоит ли ждать несколько недель медвежьего тренда на рынке криптовалют? Анализ от KTG

Стоит ли ждать несколько недель медвежьего тренда на рынке криптовалют? Анализ от KTG

Последняя неделя для индустрии криптовалют оказалась крайне насыщенной и интересной. И это довольно любопытный исход, ведь за это время практически не было каких-либо публикаций важных экономических данных. Биткойн начал показывать признаки слабости в самом начале недели. Криптовалюта взялась терять стоимость после торгов в определённом диапазоне на выходных и вследствие давления в масштабах суток. В то же время продавцы не смогли закрыть день ниже ключевой поддержки на уровне 29 200 долларов.

Мы используем файлы cookie, чтобы улучшить ваш опыт. Чтобы узнать больше, пожалуйста, прочитайте нашу Политику конфиденциальности. Нажимая "Принять", вы соглашаетесь с использованием наших файлов cookie и Политикой конфиденциальности. Или вы можете нажать "Отклонить", чтобы отказаться от согласия.