defirisk.co
rubric v1.7.0

WooFi (WooPPV2): Flash loan → WOO oracle price manipulation → pool swap drain

WooFi lost $8.5M on Arbitrum when attackers exploited a gap in the sPMM oracle's Chainlink fallback — flash loans drove WOO price out of range with no safety net to catch it.

Occurred 2024-03-05 Loss $9M Status closed

Summary #

WooFi (WooPPV2) suffered a DEX / AMM (sPMM oracle-based) on 2024-03-05, resulting in a loss of approximately $9M.

What happened #

WooFi lost $8.5M on Arbitrum when attackers exploited a gap in the sPMM oracle's Chainlink fallback — flash loans drove WOO price out of range with no safety net to catch it.

Linked factors #

  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the core WooPPV2 contract predates the exploit; the new risk factor was the newly added WOO lending market which changed the economic at...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the core WooPPV2 contract predates the exploit; the new risk factor was the newly added WOO lending market which changed the economic at...]
  • RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code — the sPMM oracle was audited by CertiK; the specific interaction between sPMM out-of-range + missing WOO Chainlink fallback wa...]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — WOO price was manipulated to extreme levels within the sPMM system; a price deviation monitor against Chainlink would have flagged this ...]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — the attacker used a flash loan to pump and manipulate WOO price; detectable as an unusually large flash loan on a low-liquidity token]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the core WooPPV2 contract predates the exploit; the new risk factor was the newly added WOO lending market which changed the economic at...]