A major Base Blockchain vulnerability has been used in a price manipulation exploit, leading to the theft of $1.5 million, according to blockchain security firm Cyvers Alerts.
Cyvers Alerts initially reported the exploit, which lasted several hours, in an October 25 X post.
Suspicion arose after a transaction extracted $993,534 from the Base blockchain’s unverified lending contracts. Nearly five hours later, using the same method, an additional $455,127 was siphoned off.
Cyvers identified the root cause as price manipulation of Wrapped Ether ($WETH) through excessive borrowing.
How The Exploiter Manipulated Prices
The attacker exploited a vulnerability in the smart contracts related to WETH, successfully manipulated the price, and then siphoned the funds.
The exploit targeted an oracle within the contract that relied on a single trading pair with limited liquidity of around $400,000, making it susceptible to price swings that could be manipulated.
This could have been avoided with a diversified oracle that used higher liquidity sources to resist such manipulation better.
According to Cyvers, the stolen funds were moved to the Ethereum network. $202,549 of the funds were funneled through Tornado Cash, a privacy-focused “crypto mixer.”
Crypto mixes obscure transaction paths, making tracing funds back to their original source challenging. While Tornado Cash is intended for privacy, its use by hackers to launder stolen funds has been widely criticized.
The attacker is currently unidentified, and the use of Tornado Cash suggests that tracking them down may prove difficult.
Ethereum Network Remains the Prime Target For Hackers
Despite the exploit, the base blockchain has a good track record compared to other blockchains. Over Q3, Base only saw 3 incidents, totaling $2.2M in losses, according to a CertiK report.
Q3 Hack incidents and losses by chain. Source: CertiK.This is modest compared to Ethereum, which continues to be a prime target, with $387.8 million stolen across 86 incidents. This vastly outpaces any other blockchain in terms of both frequency and total losses.
Vulnerabilities in smart contract code contributed to $39.6 million in losses over 44 incidents. At the same time, reentrancy attacks, a technique enabling hackers to withdraw funds before balances are updated repeatedly, were responsible for $30.3 million in losses across five cases.
However, user error accounted for a large margin across the $750 million lost in hacks last quarter. Phishing and private key compromises were the most prevalent attack vectors, contributing $668 million in losses.
The post Cyvers Flags $1.5M Theft in Base Blockchain Exploit appeared first on Cryptonews.
