Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 181Oracle Manipulation

WOOFi sPMM Price Manipulation

WOOFi Swap on Arbitrum lost $8.75M after the attacker realised WOO's Chainlink oracle was never configured and the sPMM accepted any manipulated price.

Date
Victim
WOOFi
Chain(s)
Arbitrum
Status
Funds Stolen

On March 5, 2024, the decentralised exchange WOOFi lost approximately $8.75 million on its Arbitrum deployment after an attacker exploited the project's synthetic proactive market making (sPMM) algorithm. The proximate cause: the WOO token's price oracle was set to the zero address — Chainlink had never been configured for that token — so the sPMM accepted any extreme price the attacker pushed it toward.

What happened

WOOFi's sPMM algorithm was designed to give DEX users CEX-like execution by dynamically pricing trades against a reference oracle. Each token in the system was supposed to have a Chainlink price feed configured through an admin function so the sPMM could sanity-check the prices it generated.

For the WOO token itself — the protocol's native asset — the admin function setting the Chainlink oracle had never been called. The oracle address remained at its default value: address(0). When the sPMM looked up WOO's reference price, it got no usable bound — and accepted whatever the algorithm's internal calculation produced, no matter how extreme.

The attack:

  1. Flash-borrowed ~7.7M WOO plus several other tokens.
  2. Sold the WOO into WOOFi, pushing the sPMM's internal WOO price toward zero through repeated dumps.
  3. With no oracle to bound the calculation, the sPMM's internal price dropped to essentially zero.
  4. Swapped 10M WOO out of WOOFi in the same transaction, paying almost nothing because of the manipulated internal price.
  5. Repeated three times within 13 minutes.

Net profit after repaying the flash loans: ~$8.75M.

Aftermath

  • WOOFi paused the affected sPMM v2 contract for approximately two weeks while shipping a fixed version with proper oracle configuration.
  • The attacker was offered a 10% white-hat bounty for the return of funds; no return.
  • The protocol absorbed the loss from team and treasury reserves.

Why it matters

WOOFi is one of the clearest case studies for why "the oracle is the trust boundary" only applies if the oracle is actually wired up. The sPMM code was correct. The oracle integration was correct. The deployment script that calls the admin function to set the oracle for each new token was missed for WOO — and the system silently degraded to "trust the algorithm's internal numbers" instead of "verify against an external source."

The lesson — that deployment scripts must be checked for completeness, end-to-end, against the protocol's documented preconditions — has driven the broader push toward:

  • Post-deployment invariant checks that verify every expected configuration value before contracts go live.
  • Initialisation guards that revert until all required configuration has been set.
  • Deployment "checklists" enforced in code — modifier patterns that prevent privileged functions from being callable until configuration is complete.

A protocol can pass every audit and still ship into production with an unset oracle. The defensive practice is to make that impossible at the contract level, not relying on operational discipline alone.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-woofi-hack-march-2024
  2. [02]cyfrin.iohttps://www.cyfrin.io/blog/hack-analysis-into-woofi-exploit
  3. [03]woox.iohttps://woox.io/en/blog/woofi-spmm-exploit-post-mortem

Related filings