An exploit involving unverified lending contracts on the Base blockchain resulted in the theft of about $1 million.
The incident, which took place over several hours, was reported by blockchain security firm Cyvers Alerts in an X post on Oct. 25.
The attacker exploited a vulnerability in the smart contracts related to Wrapped Ether (WETH), successfully manipulated the price and then siphoned the funds.
Related: BingX launches ‘ShieldX’ wallet firewall months after $52M hack
Price manipulation exploit
The attacker’s initial suspicious transaction extracted $993,534 from the Base blockchain’s unverified lending contracts.
They moved most of the stolen funds to the Ethereum network and then deposited $202,549 into the privacy-focused Tornado Cash service. Additional funds totaling $455,127 were taken using the same exploit.
In a written Q&A with Cointelegraph, Hakan Unal, senior SOC lead at Cyvers Alerts, explained the vulnerability exploited in the attack:
“The oracle used by these contracts was not robust, relying only on a single pair with a limited liquidity of ~$400K, making it susceptible to price swings that could be manipulated.”
Related: US government crypto wallets hacked for $20M — Arkham Intelligence
Security implications and prevention
The exploitation of unverified lending contracts reveals broader risks associated with decentralized finance (DeFi) platforms that fail to implement strong security measures.
Unal said that “a more reliable, diversified oracle with higher liquidity to avoid price manipulation” could be used to prevent similar attacks in the future, particularly “for assets like WETH.”
“Enhanced due diligence for lending contract verification, particularly on oracles used, can mitigate these risks.”
Related: Radiant Capital hacker moves $52M in stolen funds
Who’s to blame?
Unal told Cointelegraph that “the attacker managed to escape” with the funds stolen through exploiting “the price manipulation vulnerability.”
“Responsibility likely falls on the entity managing the unverified lending contracts, as well as those responsible for choosing an insufficiently secure oracle for price verification.”
The attacker is yet to be identified and has successfully absconded with the stolen funds.
This incident highlights a need for DeFi platforms to improve security protocols to protect user funds and ensure contract verification to prevent similar events from occurring.
Magazine: The rise of Mert Mumtaz: ‘I probably FUD Solana the most out of anybody’