Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Woo is some sort of finance platform that is on various blockchains. Recently, they had deployed everything on Arbitrum.

WOOFi has a system that adjusts the oracle prices based on trade value. By using oracle manipulation within a low-liquidity environment, it was possible drop the price of the asset to steal funds.

The attacker borrowed 7.7M WOO then sold the WOO into WOOFi. Now, the algorithm for the price incorrectly created an extreme price close to zero. From there, an attacker swapped out 10M WOO for almost nothing in USDC. They did this 3 times in order to make a large profit of about 8.75M.

Instead of using a standard Automated Market Maker (AMM), they used their special sPMM (synthetic proactive market maker). Within their protocol, the error resulted in this going outside of the range to $0.00000009. In theory, a fallback should execute Chainlink but the threshold wasn't reached, resulting in this major issue.

A few things stood out to me and rekt.news. First, going to different chains doesn't come without any risk. Having low liquidity can be an issue for these types of attacks. Second, things that are not battle tested and well audited shouldn't have millisions in them.