Major flaws in the Base blockchain were exposed by an exploit, which resulted in $1 million in stolen money and raised security concerns in DeFi.
Approximately $1 million was stolen due to an attack utilizing unconfirmed lending contracts on the Base network.
Blockchain security company Cyvers Alerts reported the event, which lasted for several hours, in an X post on October 25.
The attacker successfully changed the price and embezzled the money by using a flaw in the Wrapped Ether (WETH) smart contracts.
Exploitation of price manipulation
$993,534 was taken out of the Base blockchain’s unconfirmed lending contracts by the attacker in their first suspicious transaction.
They transferred most of the stolen money to the Ethereum network before depositing $202,549 into the Tornado Cash service, which prioritizes privacy. The same exploit was used to steal $455,127 in additional cash.
Hakan Unal, senior SOC lead at Cyvers Alerts, described the attack’s exploited vulnerability in a written Q&A:
“The oracle used by these contracts was not robust, relying only on a single pair with a limited liquidity of ~$400K, making it susceptible to price swings that could be manipulated.”
Implications for security and prevention
Misusing unconfirmed lending agreements exposes more severe issues with decentralized finance (DeFi) systems that need robust security.
Unal stated that similar attacks may be avoided in the future, especially “for assets like WETH,” by using “a more reliable, diversified oracle with higher liquidity to avoid price manipulation.”
“Enhanced due diligence for lending contract verification, particularly on oracles used, can mitigate these risks.”
Who is at fault?
Unal informed Cointelegraph that by taking advantage of “the price manipulation vulnerability,” “the attacker managed to escape” with the stolen money.
“Responsibility likely falls on the entity managing the unverified lending contracts, as well as those responsible for choosing an insufficiently secure oracle for price verification.”
The perpetrator has successfully fled with the stolen money and has not yet been identified.
This incident makes it clear that DeFi platforms must strengthen security procedures to safeguard user cash and guarantee contract verification to stop future occurrences of this kind. Major flaws in the Base blockchain were exposed by an exploit, which resulted in $1 million in stolen money and raised security concerns in DeFi.
