Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
An exploit in the uncertified lending contracts of the L2 network Base led to the theft of more than $1 million, the incident was reported by security firm Cyvers Alerts.
The attacker exploited a vulnerability in WETH-related smart contracts. After successfully manipulating the price oracle, he withdrew $993,000.
About $202,000 was sent to Tornado Cash. Then the attack was repeated, the damage from it amounted to $455,127.
"The oracle used by these contracts is not reliable. It relies on only one pair with limited liquidity of $400,000, which has made it susceptible to price fluctuations that can be manipulated," explained Hakan Unal, senior security specialist at Cyvers Alerts.
To prevent such incidents, it is necessary to use reliable, diversified oracles with high liquidity, the expert noted.
The attacker managed to escape with the stolen assets, his identity has not been established. Responsibility for the incident will fall on the organization managing credit protocols, Unal added.
ALERT Our system detected multiple suspicious transactions involving unverified lending contracts on #Base a few hours ago.
The attacker initially made a suspicious transaction, gaining approximately $993K from these unverified contracts. Most of these tokens were swapped and… pic.twitter.com/FRo5gVhxCc
— Cyvers Alerts (@CyversAlerts) October 25, 2024
x.com
twitter.com
The attacker exploited a vulnerability in WETH-related smart contracts. After successfully manipulating the price oracle, he withdrew $993,000.
About $202,000 was sent to Tornado Cash. Then the attack was repeated, the damage from it amounted to $455,127.
"The oracle used by these contracts is not reliable. It relies on only one pair with limited liquidity of $400,000, which has made it susceptible to price fluctuations that can be manipulated," explained Hakan Unal, senior security specialist at Cyvers Alerts.
To prevent such incidents, it is necessary to use reliable, diversified oracles with high liquidity, the expert noted.
The attacker managed to escape with the stolen assets, his identity has not been established. Responsibility for the incident will fall on the organization managing credit protocols, Unal added.
