Wise Lending market exploited for 177 ETH in a flash loan attack
|- Wise Lending market lost approximately $464,000 to a hacking incident.
- PeckShield attributed the incident to flawed accounting logic with a precision issue to drain the market funds.
- The exploiter inflated the share price in an almost empty market, and then borrowed most funds in the lending markets.
Wise Lending, a Web3 lending application and yield aggregator, is the latest victim of an exploit, and arguably the first case in 2024 after an exploiter executed a flash loan attack.
Also Read: Bitcoin Weekly Forecast: BTC crashes as GBTC dumps, but bullish outlook still not under threat
Wise Lending loses 177 ETH to a flash loan attacker
Wise Lending was exploited for 177 ETH, worth approximately $464,000 at current rates. According to blockchain security firm and data analytics firm PeckShield, the aggregator’s share accounting logic was flawed with a precision issue to drain the market funds.
The @Wise_Lending market was exploited today, resulting in ~177 ETH loss (~$464K).
— PeckShield Inc. (@peckshield) January 12, 2024
Our initial analysis shows the share accounting logic is flawed with a precision issue to drain the market funds.
Here is the related hack tx: https://t.co/aadbYIjX9o pic.twitter.com/FEtWW1wzKH
The @Wise_Lending market was exploited today, resulting in ~177 ETH loss (~$464K).
— PeckShield Inc. (@peckshield) January 12, 2024
Our initial analysis shows the share accounting logic is flawed with a precision issue to drain the market funds.
Here is the related hack tx: https://t.co/aadbYIjX9o pic.twitter.com/FEtWW1wzKH
Specifically, the bad actor leveraged a flash loan attack, a mechanism often used in manipulating oracle prices.
The exploiter preyed on a nearly empty market to inflate the share price. After the share price is inflated, most funds in the lending markets were then borrowed.
Details of the attack
The exploiter used an unverified contract whose address ended with …”d82c” to execute the exploit, transferring multiple tokens into the contract, data on Etherscan shows. Among the loot was $9,000 worth of USD Coin (USDC), $2,000 worth of Tether (USDT), $5,000 worth of Dai (DAI), 18.51 Wrapped Ether (WETH) worth $47.694, and multiple other tokens associated with Pendle Finance.
The exploiter borrowed 1,110 Lido Staked Ether (stETH) tokens worth approximately $2.9 million from the Aave (AAVE) lending protocol as part of the exploit.
The incident was first reported by @spreekaway, indicating, “Looks like Wise Lending exploited for ~170 ETH,” with the attack taking place at 7:29 pm UTC. According to Spreek, the exploit was due to a new Pendle Finance derivative token.
Looks like Wise Lending exploited for ~170 eth pic.twitter.com/FKivuNIKZV
— Spreek (@spreekaway) January 12, 2024
Looks like Wise Lending exploited for ~170 eth pic.twitter.com/FKivuNIKZV
— Spreek (@spreekaway) January 12, 2024
However, a threat researcher, going by @officer_cia on X, said that the attack may have been caused by a 7% swing in price between stETH and ETH within a particular pool. This, in their opinion, came as a result of AAVE v2 stETH flash loan.
Looks like Pendle had a 7% stETH/ETH swing b/c of AAVE v2 stETH flashloan.
— Officer's Notes (@officer_cia) January 12, 2024
Wise got drained accordingly (probably a 1:1 fixed exchange somewhere).
Source: https://t.co/xNR62SELnh
Info by @charliemktplace ⬆️ pic.twitter.com/9oVBL3x0Of
Looks like Pendle had a 7% stETH/ETH swing b/c of AAVE v2 stETH flashloan.
— Officer's Notes (@officer_cia) January 12, 2024
Wise got drained accordingly (probably a 1:1 fixed exchange somewhere).
Source: https://t.co/xNR62SELnh
Info by @charliemktplace ⬆️ pic.twitter.com/9oVBL3x0Of
Wise Lending did not respond immediately to FXStreet request for comment.
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers.