Web3 lending app and yield aggregator Wise Lending was drained of 170 Ether (ETH), worth $440,000 at current prices, in an apparent exploit on Jan. 12, according to multiple security experts. The exploiter may have manipulated an oracle price through a flash loan in order to carry out the exploit.
Blockchain data shows that the attack took place at 7:29 pm UTC. The attacker used an unverified contract with an address ending in d82c to drain the funds. Multiple tokens were transferred into this contract, including $9,000 worth of USD Coin (USDC), $2,000 worth of Tether (USDT), $5,000 worth of Dai (DAI), 18.51 Wrapped Ether (WETH) ($47.694) and numerous Pendle Finance associated tokens.
The attacker borrowed 1,110 Lido Staked Ether (stETH) tokens ($2.9 million) from the Aave lending protocol as part of the exploit. Exploiters often use flash loans to manipulate oracle prices.
Related: What are flash loans in DeFi?
Pseudonymous blockchain security researcher Spreek alerted the crypto community about the attack on X (formerly Twitter), stating, “Looks like Wise Lending exploited for ~170 eth.”
Looks like Wise Lending exploited for ~170 eth pic.twitter.com/FKivuNIKZV
— Spreek (@spreekaway) January 12, 2024
In a reply to their own post, Spreek speculated that the vulnerability may have been associated with a new Pendle Finance derivative token. Another security researcher, Officer’s Notes, shared the post, commenting, “Another day, another exploit.” According to Officer’s Notes, the vulnerability may have been caused by a 7% swing in price between stETH and ETH within a particular pool, which was in turn “b/c of AAVE v2 stETH flashloan.”
2024 just got started, but decentralized finance protocols have already lost at least $5 million through exploits. On Jan. 3, Radiant Capital was hit for over $4.5 million. The following day, liquidity manager Gamma Protocol lost over $400,000 in an exploit.
In 2023, over $1.8 billion was lost from crypto hacks, scams and exploits, according to blockchain security platform Certik.