Security Research

WooTrade Hack Detected in Advance by Forta ($4.8M)

March 14, 2024

Forta is the largest network of security intel in Web3. The decentralized Forta Network leverages machine learning and a community of security researchers to detect exploits, scams and other threats.

On March 5th, 2023, the DeFi world witnessed a sophisticated attack on WOOFi Swap on the Arbitrum network, leveraging the platform's synthetic proactive market making (sPMM) algorithm. Despite the unfortunate loss, this incident spotlighted the critical role of real-time monitoring and automated incident response, as demonstrated by Forta's coverage of the attack. This post-mortem details how the exploit unfolded and Forta's response, highlighting the potential for saving the majority of the funds with an automated response workflow.

The Exploit Mechanism

The attacker executed a well-planned sequence of transactions involving flash loans and manipulative trades to exploit the sPMM algorithm that controls WOOFi Swaps' pricing. By borrowing approximately 7.7 million WOO tokens, among other assets, the exploiter sold these into WOOFi at artificially depressed prices, subsequently swapping out 10 million WOO at nearly zero cost. This process was repeated three times within minutes, each time extracting significant value due to the algorithm's incorrect price adjustment. The net profit for the exploiter amounted to about $8.75 million.

Forta's Real-time Detection

Forta's network, designed to monitor and alert on such hacks in real-time, detected the exploit as it unfolded. The timeline of events and Forta's alerts is as follows:

First Attack Transaction at 15:42:06 PM UTC:
- The exploiter drained 559 ETH and 2.5M $WOO.
- Forta's first alert was triggered at 15:42:22 PM UTC, approximately 16 seconds after the attack began.

Between the First and Second Attack:
- Forta issued an alert at 15:43:07 PM UTC and another alert at 15:43:10 PM UTC, marking the recognition of the ongoing exploit.

Second Attack Transaction at 15:49:29 PM UTC:
- The exploiter continued with a similar attack pattern, draining additional funds.

Third Attack Transaction at 15:53:58 PM UTC:
- The final attack sequence followed, with the exploiter extracting further assets.

Despite the slight delay in the initial detection, Forta's alerts provided a critical window that, if coupled with an automated incident response system, could have significantly mitigated the exploit's impact. The detection before the second and third transactions indicated a clear opportunity to halt further attacks and secure the remaining assets.

The Potential of Automated Incident Response

This incident underscores the necessity of not only real-time monitoring but also the implementation of automated incident response mechanisms. It is worth noting that WOOFi did have a pause functionality for this contract that was activated during this attack. While that pause likely saved the protocol a significant sum of money, an automated incident response system could have saved the protocol $4.8M. Had WOOFi Swap integrated such a system, powered by Forta's alerts, it could have paused operations or triggered other defensive actions immediately after the first or subsequent alerts, potentially saving up to two-thirds of the compromised funds.

While the WOOFi exploit presents a tough lesson, it also highlights a path forward. The integration of Forta's real-time monitoring with automated incident response workflows offers a robust defense against sophisticated exploits, enabling platforms to respond swiftly and effectively to emerging threats.

For projects seeking to enhance their security posture, integrating Forta's Attack Detector and incident response capabilities represents a strategic step towards achieving resilience against the complex threat landscape of today's blockchain networks.

Share