An exploit in uncertified L2 Base network landing contracts resulted in the theft of more than $1 million. The incident was reported by security firm Cyvers Alerts.
The attacker exploited a vulnerability in WETH-related smart contracts. After successfully manipulating the price oracle, he withdrew $993,000.
About $202,000 was sent to Tornado Cash. The attack was then repeated, causing $455,127 in damage.
“The oracle used by these contracts is not reliable. It relies on only one pair with limited liquidity of $400,000, which made it susceptible to price fluctuations that can be manipulated,” explained Hakan Unal, senior security specialist at Cyvers Alerts.
To prevent such incidents, it is necessary to use reliable, diversified oracles with high liquidity, the expert noted.
The perpetrator managed to escape with the stolen assets, his identity has not been established. Responsibility for the incident will fall on the organization managing the credit protocols, Unal added.
Recall that in October, the Radiant Capital lending protocol was hacked in the BNB Chain and Arbitrum networks for more than $50 million.
