Details of the Exploit
Cyvers Alerts initially reported the exploit, which lasted several hours, in an October 25 X post. Suspicion arose after a transaction extracted $993,534 from the Base blockchain’s unverified lending contracts. Nearly five hours later, using the same method, an additional $455,127 was siphoned off.
Root Cause of the Vulnerability
Cyvers identified the root cause as price manipulation of Wrapped Ether ($WETH) through excessive borrowing.
How The Exploiter Manipulated Prices
The attacker exploited a vulnerability in the smart contracts related to WETH, successfully manipulating the price and siphoning the funds. The exploit targeted an oracle within the contract that relied on a single trading pair with limited liquidity of around $400,000, making it susceptible to price swings that could be manipulated.
This vulnerability could have been mitigated with a diversified oracle that used higher liquidity sources to resist such manipulation.
Movement of Stolen Funds
According to Cyvers, the stolen funds were moved to the Ethereum network. $202,549 of the funds were funneled through Tornado Cash, a privacy-focused “crypto mixer.”
- Crypto mixers obscure transaction paths, making tracing funds back to their original source challenging.
- While Tornado Cash is intended for privacy, its use by hackers to launder stolen funds has been widely criticized.
The attacker is currently unidentified, and the use of Tornado Cash suggests that tracking them down may prove difficult.
Ethereum Network: A Prime Target for Hackers
Despite the exploit, the Base blockchain has a good track record compared to other blockchains. Over Q3, Base only saw 3 incidents, totaling $2.2 million in losses, according to a CertiK report.
This is modest compared to Ethereum, which continues to be a prime target, with $387.8 million stolen across 86 incidents. This vastly outpaces any other blockchain in terms of both frequency and total losses.
Smart Contract Vulnerabilities and User Errors
Vulnerabilities in smart contract code contributed to $39.6 million in losses over 44 incidents. Additionally, reentrancy attacks, a technique enabling hackers to withdraw funds before balances are updated repeatedly, were responsible for $30.3 million in losses across five cases.
However, user error accounted for a large margin of the $750 million lost in hacks last quarter. The most prevalent attack vectors included:
- Phishing
- Private key compromises
These methods contributed to a staggering $668 million in losses.
Ecosystem
Research
News Network
About