WOOFi sPMM exploit post-mortem

WOOFi sPMM exploit post-mortem

A brief incident recap

At 15:49 UTC on March 5th, the sPMM algorithm that controls the pricing on WOOFi Swaps was exploited on Arbitrum. The exploit consisted of a sequence of flash loans that took advantage of low liquidity to manipulate the price of WOO in order to repay the flash loans at a cheaper price.

The exploiter borrowed ~7.7M WOO as well as some other assets and sold the WOO into WOOFi. At this point WOOFi’s sPMM incorrectly adjusted WOO to an extreme price which was close to zero, and the exploiter then swapped out 10M WOO in the same transaction with almost no cost. The exploiter repeated this attack 3 times within a very short period of time, which netted about $8.75m in profits after returning the flash loans.

The exploit was immediately picked up by several teams, including Hypernative, Chainalysis, Wintermute, and many members of the Security Alliance (SEAL911). The large swaps had also been picked up by WOOFi’s internal transaction monitoring system, and by 16:02 UTC, WOOFi Swap’s smart contracts had been paused, and a full investigation had begun.

About synthetic proactive market making (sPMM)

WOOFi’s sPMM algorithm differs from conventional AMMs in that it works in tandem with WOOFi's on-chain oracles to simulate the price, spread, and depth of the orderbook on centralized exchanges. 

In WOOFi v2’s design, the sPMM will override the oracle price according to the notional value of users’ trades in order to adjust slippage and keep the pools in a more balanced state. Unfortunately, a previously unidentified error resulted in the price being adjusted far outside of the expected range ($0.00000009), and the fallback check, normally executed against Chainlink, didn’t cover the WOO token price.

Since first launching in 2021, WOOFi’s sPMM had been incident-free, largely due to a conservative approach to listing new assets. Initiating this exploit with major assets like ETH would be nearly impossible. However, the recent addition of a lending market for WOO on Arbitrum, plus relatively low liquidity support for WOO tokens elsewhere on the network, made the exploit economically feasible. WOOFi Swap is deployed on 10+ networks, but no other network had both the WOO token and a WOO lending market, which prevented the same exploit from being replicated.  

Other WOOFi contracts, including WOOFi Stake, Earn, and Pro, were unaffected and remain fully functional. Should any WOOFi Earn depositors wish to withdraw any funds, they can do so as usual. 

Next steps for WOOFi Swap

Efforts to recover these funds have already been initiated, with a 10% whitehat bounty extended to the exploiter. Additionally, a bounty has been placed on Arkham Intelligence for anyone who can provide additional information. We can be reached at woofi-bounty@woo.org

While we fix the contract and secure additional audits, WOOFi Pro, Stake, and Earn remain unaffected and fully operational. Our goal is to resolve the issue with WOOFi Swap v2 and redeploy within 2 weeks, while continuing our plan to release the v3 version later this spring. We will work with top security firms to ensure these vulnerabilities are identified at an earlier stage. This is the first time an incident like this has happened to us, and we want to make sure it doesn't happen again.

On that note, special thanks must be extended to all the parties that worked to support us, including:

繼續閱讀
比特幣下個支撐位為 8.5 萬至 8.8 萬美元

比特幣下個支撐位為 8.5 萬至 8.8 萬美元

熱門項目 + 市場概覽 I. 主流交易所新聞 * WOO X Global 上線了 Mister Miggles(MIGGLES)和 Just a chill Guy(CHILLGUY)代幣的現貨交易,以及 FARTCOIN/USDT 和 ZRC/USDT 交易對的永續合約。 * Bitget 錢包與去中心化永續盤交易平台 Tetadex 達成策略合作,支援鏈上永續盤交易。 * 綜合公鏈 Supra 已上線主網並發起代幣生成活動(TGE),其 SUPRA 代幣已在 ByBit、Kucoin、Gate、MEXC 交易所上市。 * 加密貨幣交易所 Kraken 將關閉其 NFT 市場,為即將推出的項目釋放資源。 * Bitget PoolX 將上線 Major(MAJOR)代幣,總獎金池 223,700 MAJOR。 * Bybit 已上線 Just a Chill Guy(CHILLGUY)代幣進行現貨交易。 * 幣安的第二個 HODLer 空投項目是 Thena(THE),代幣供應總量的 7% 用於空投。 * 幣安於 11 月 26 日推出獎勵期貨交易抵押資產 B

比特幣的市場統治力下降

比特幣的市場統治力下降

熱門項目 + 市場概覽 I. 主流交易所新聞 * WOO 代幣在過去 24 小時內飆升了 16% 以上,目前交易價格為 0.2765 美元。隨著山寨幣市場的復甦,WOO X Global 和 WOOFi 的交易量創下歷史新高,其中 WOO 作為幣安上唯一上市的平台代幣而受到關注。 * Bitget 已推出最高 20 倍槓桿的 ZRC/USDT 和 1MCHEEMS/USDT 永續合約。 * 幣安上線了最高 75 倍槓桿的 1000WHY/USDT 和 1000CHEEMS/USDT 永續合約。 * Bybit 已上線 ME/USDT 永續合約。 II. 主流項目和熱門活動 * DeSci 項目 Pump Science 宣布,由於 GitHub 的疏忽,其測試錢包的私鑰被洩露,導致欺詐性 URO 和 RIF 代幣的創建,導致其價格下跌 30-36%。同時,pump.fun 將暫停直播,以加強審核流程。 * Phantom 是最初為 Solana 生態系統構建的加密貨幣錢包,現已增加對 Base 網路的測試版支援。 * Sui 與 Babylon Labs 和

我們使用 cookies 來改善您的體驗。欲了解更多資訊,請閱讀我們的隱私政策。點擊「接受」即表示您同意我們的 cookies 和隱私政策。或者,您可以點擊「拒絕」來拒絕同意。