$1 Million Stolen in Base Blockchain Exploit – Calls for Stronger DeFi Security
A recent exploit involving unverified lending contracts on the Base blockchain has left it reeling in shock after it led to a loss of about $1 million. The incident was first reported by blockchain security firm Cyvers Alerts on October 25, which took to the social media platform X to share the update. Per Cyvers, the attacker took advantage of a serious flaw in the smart contracts related to Wrapped Ether (WETH). Base Blockchain Exploit: How It Unfolded The attack reportedly began with a single transaction in which the attacker extracted roughly $993,534 by manipulating the contract’s price data. This flaw, that was earlier mentioned, allowed the attacker to manipulate the value of assets on the Base blockchain, helping them to get away with the stolen funds with ease. Most of the funds that the attacker initially moved have been transferred to the Ethereum network. After that, the attacker further deposited around $202,549 into Tornado Cash in a bid to cover their tracks. Additional funds totalling $455,127 were taken using the same exploit. Meanwhile, Cyvers Alerts’ lead security analyst, Hakan Unal, has blamed the recent exploit on the fact that the oracle used by the affected contracts was not robust enough. This made it easier for the attacker to trigger a price change and capitalize on the manipulated value. Unal then suggested that “a more reliable, diversified oracle with higher liquidity” could be used to avoid price manipulation and prevent similar attacks in the future, particularly “for assets like WETH.” Security Issues with Decentralized Finance (DeFi) The recent breach comes as a reminder of the risks associated with decentralized finance (DeFi) platforms. That is especially true when security protocols around smart contracts are weak. For these reasons, experts suggest that DeFi platforms should be diligent in verifying lending contracts. By improving security protocols, these platforms will be able to better protect user funds and prevent similar events as the one that just befell Base from re-occurring. The attacker remains unidentified and has yet to be traced following the big theft.