An exploit on the Base blockchain revealed major vulnerabilities, resulting in $1 million in stolen funds and creating security concerns in DeFi.
An exploit involving unverified lending contracts on the Base blockchain led to approximately $1 million in losses.
The incident unfolded over several hours and was flagged by blockchain security firm Cyvers Alerts in an X post on October 25.
The attacker exploited a vulnerability in smart contracts linked to Wrapped Ether (WETH), manipulating the price and then draining funds.
Price Manipulation Exploit
The first suspicious transaction enabled the attacker to withdraw $993,534 from Base’s unverified lending contracts.
Most of the stolen funds were then moved to the Ethereum network, with $202,549 deposited into the privacy service Tornado Cash. The attacker proceeded to take an additional $455,127 using the same exploit.
In a Q&A, Cyvers Alerts’ senior SOC lead Hakan Unal explained the vulnerability:
“The oracle used by these contracts was not robust, relying only on a single pair with a limited liquidity of ~$400K, making it susceptible to price swings that could be manipulated.”
Security Implications and Prevention
The use of unverified lending contracts highlights significant risks within decentralized finance (DeFi) platforms that lack robust security measures.
Unal noted that “a more reliable, diversified oracle with higher liquidity to avoid price manipulation” could prevent similar attacks, especially “for assets like WETH.”
“Enhanced due diligence for lending contract verification, particularly on oracles used, can mitigate these risks.”
Who’s To Blame?
Unal told Cointelegraph that “the attacker managed to escape” with the funds after exploiting “the price manipulation vulnerability.”
“Responsibility likely falls on the entity managing the unverified lending contracts, as well as those responsible for choosing an insufficiently secure oracle for price verification.”
The attacker remains unidentified and has successfully made off with the stolen assets.
This exploit underscores the need for DeFi platforms to strengthen security protocols to protect user funds and enforce contract verification, helping prevent similar incidents in the future.
