WebKeyDAO: The "Fixed Price" Arbitrage & Access Control Exploit (March 2025)
On March 14, 2025, WebKeyDAO, a protocol on the BNB Smart Chain (BSC), was exploited for approximately $737,000. The incident stands as a definitive case study in the intersection of Access Control failure and Oracle-less pricing logic, and has gained industry notoriety as a benchmark for AI-driven threat hunting.
Technical Overview
The vulnerability focused on the protocol's token sale contract. The design allowed users to purchase wkeyDao tokens at a price determined by internal state variables. The failure was rooted in two critical architectural oversights:
- Administrative Access Control Gap: The
SetSaleInfo()function, responsible for establishing the purchase price and sale parameters, was either poorly protected by modifiers or was misconfigured during deployment. - Rigid Pricing Logic: The
buy()function sold tokens based on a static internal variable. Because the contract did not utilize a dynamic price oracle (like Chainlink), the internal "reality" of the token price was decoupled from the fair market value.
Exploit Mechanism: The 1,000x Pricing Mismatch
The attacker leveraged the discrepancy between the protocol's internal state and the external market liquidity.
- Parameter Injection: The attacker identified that the
SetSaleInfo()function lacked sufficient authorization checks. They called this function to set the token purchase price within the contract to an abnormally low value (providing essentially a 99% discount). - The "Discount" Buy: With the new price active, the attacker used the
buy()function to acquire a massive volume ofwkeyDaotokens for a negligible amount of BUSD. - Atomic Arbitrage: Immediately following the purchase, the attacker swapped the undervalued tokens on external liquidity pools (e.g., PancakeSwap), where the market price remained significantly higher.
- Instant Siphoning: The entire process—price manipulation, discounted purchase, and market exit—was executed in a single transaction sequence, effectively draining the protocol's underlying liquidity.
Wider Significance: The AI Hunting Benchmark
WebKeyDAO achieved long-term notoriety when researchers at Anthropic used its (at the time) unverified bytecode to benchmark the capabilities of Claude 3.5 Sonnet (Extended Thinking). In a controlled environment, the AI was able to independently:
- Identify the lack of authorization on the
SetSaleInfo()setter from raw bytecode. - Locate the pricing discrepancy by comparing the contract state to a mock DEX.
- Draft and execute a functional exploit script.
Mitigation Strategies
- Decentralized Price Oracles: Never rely on manual price updates for tokens with an active secondary market. Use Chainlink or Pyth to ensure internal pricing tracks fair market value.
- Administrative Gatekeeping: Setter functions for critical economic parameters MUST be restricted by
onlyOwnerorAccessControland should ideally be controlled by a Multi-Signature Wallet with a Timelock. - Automatic Deviation Detectors: Implement "Sanity Guard" checks that revert transactions if internal pricing deviates from a trusted external source by more than a set threshold (e.g., 10%).
- Stateful Fuzzing: Protocols should utilize automated fuzzing tools to specifically search for execution paths where a single user can extract a significant percentage of TVL through parameter shifts.
Conclusion
The WebKeyDAO heist is a sobering reminder that simple logic is the softest target for automation. In an era where AI agents can scan the blockchain for unprotected setters and pricing discrepancies in seconds, relying on manual parameter management is an obsolete security model.