Wise Lending drained of $440K worth of crypto in apparent flash loan exploit

The attacker used an unverified contract to borrow 1,100 Lido Staked Ether, which may have been used to manipulate prices and drain funds from the protocol.

Web3 lending app and yield aggregator Wise Lending was drained of 170 Ether (ETH), worth $440,000 at current prices, in an apparent exploit on Jan. 12, according to multiple security experts. The exploiter may have manipulated an oracle price through a flash loan in order to carry out the exploit.

Blockchain data shows that the attack took place at 07:29 pm UTC. The attacker used an unverified contract with an address ending in d82c to drain the funds. Multiple tokens were transferred into this contract, including $9,000 worth of USD Coin (USDC), $2,000 worth of Tether (USDT), $5,000 worth of DAI, 18.51 Wrapped Ether (WETH) ($47.694), and numerous Pendle Finance associated tokens.

Wise lending exploit transactions on January 12. Source: Etherscan.

The attacker borrowed 1,110 Lido Staked Ether (stETH) tokens ($2.9 million) from AAVE lending protocol as part of the exploit. Exploiters often use flash loans to manipulate oracle prices.

Related: What are flash loans in DeFi？

Pseudonymous blockchain security researcher Spreek alerted the crypto community about the attack on X, stating “Looks like Wise Lending exploited for ~170 eth.”

Looks like Wise Lending exploited for ~170 eth

— Spreek (@spreekaway) January 12, 2024

In a reply to their own post, Spreek speculated that the vulnerability may have been associated with a new Pendle Finance derivative token. Another security researcher, Officer‘s Notes, shared the post, commenting “Another day, another exploit.” According to Officer’s Notes, the vulnerability may have been caused by a 7% swing in price between stETH and Ether (ETH) within a particular pool, which was in turn “b/c of AAVE v2 stETH flashloan.”

2024 just got started, but decentralized finance (DeFi) protocols have already lost at least $5 million through exploits. On Jan. 3, Radiant Capital was hit for over $4.5 million. The following day, liquidity manager Gamma Protocol lost over $400,000 in an exploit.

In 2023, over $1.8 billion was lost from crypto hacks, scams, and exploits, according to blockchain security platform Certik.