An exploit involving unverified lending contracts on the Base blockchain has resulted in the theft of approximately $1 million.

The incident, which took place over several hours, was reported by blockchain security firm Cyvers Alerts in an X post on Oct. 25.

The attacker exploited a vulnerability in the smart contracts related to Wrapped Ether (WETH), successfully manipulated the price and then siphoned the funds.

Source: Cyvers Alerts

Related: BingX launches ‘ShieldX’ wallet firewall months after $52M hack

Price manipulation exploit

The attacker’s initial suspicious transaction extracted $993,534 from the Base blockchain’s unverified lending contracts.

They moved most of the stolen funds to the Ethereum network and then deposited approximately $202,549 into the privacy-focused Tornado Cash service. Additional funds totaling $455,127 were taken using the same exploit.

In a written Q&A with Cointelegraph, Hakan Unal, senior SOC lead at Cyvers Alerts, explained the vulnerability exploited in the attack:

“The oracle used by these contracts was not robust, relying only on a single pair with a limited liquidity of ~$400K, making it susceptible to price swings that could be manipulated.”

Related: US government crypto wallets hacked for $20M — Arkham Intelligence

Security implications and prevention

The exploitation of unverified lending contracts in the event reveals the broader risks associated with decentralized finance (DeFi) platforms that fail to implement strong security measures. 

Unal explained that “a more reliable, diversified oracle with higher liquidity to avoid price manipulation” could be used to prevent similar attacks in the future, particularly “for assets like WETH.”

“Enhanced due diligence for lending contract verification, particularly on oracles used, can mitigate these risks.”

Related: Radiant Capital hacker moves $52M in stolen funds

Who’s to blame?

Unal informed Cointelegraph that “the attacker managed to escape” with the funds stolen through exploiting “the price manipulation vulnerability.”

“Responsibility likely falls on the entity managing the unverified lending contracts, as well as those responsible for choosing an insufficiently secure oracle for price verification.”

The attacker is yet to be identified and has successfully absconded with the stolen funds. 

This incident highlights a need for DeFi platforms to improve security protocols to protect user funds and ensure contract verification in the future to prevent similar events from occurring.

Magazine: The rise of Mert Mumtaz: ‘I probably FUD Solana the most out of anybody’