WOOFi offers bounty after $8.75 million exploit on Arbitrum

Decentralized finance platform WOOFi reported an exploit targeting its swap offering on the Arbitrum network, resulting in a loss of about $8.75 million in cryptocurrencies.

At 10:49 am ET on Tuesday, an unknown attacker manipulated the platform’s Synthetic Proactive Market Making (sPMM) algorithm through a series of flash loans, taking advantage of the low liquidity to drastically affect the WOO token’s price.

The attacker borrowed around 7.7 million WOO tokens along with other assets and sold them on WOOFi, the team noted in a post-mortem report . This action caused the sPMM algorithm to incorrectly value the project's native token WOO at near-zero prices.

The exploiter then capitalized on this abnormal pricing to swap out 10 million WOO at minimal costs, repeating this process three times in a short span, netting themselves substantial illicit gains.

The anomaly was promptly detected by WOOFi’s transaction monitoring system and other security teams active in crypto, leading to the suspension of WOOFi Swap’s smart contracts by about 11 am ET to prevent further losses and initiate an investigation.

WOOFi’s sPMM algorithm simulates the dynamics of centralized exchanges to offer users optimal pricing. However, an unexpected error in the algorithm’s interaction with WOO’s liquidity conditions on Arbitrum enabled this exploit, according to the the team.

Other WOOFi products such as WOOFi Stake, Earn, and Pro, remain unaffected and operational.

A 10% whitehat bounty was offered

In response to the incident, WOOFi offered the attacker a 10% white hat bounty for the return of the stolen funds. The team stressed it will address the vulnerabilities before redeploying the WOOFi Swap contracts.

"We will work with top security firms to ensure these vulnerabilities are identified at an earlier stage. This is the first time an incident like this has happened to us, and we want to make sure it doesn't happen again," it noted.

The price of each WOO token across various exchanges dropped by 18% after the incident, falling from $0.59 to $0.49. It has now rebounded to above $0.54, according to The Block's price page .