Similarly to last week’s Mango Markets case, the exploit was carried out via price manipulation of a collateral asset, this time netting the attacker $8.4M.
The Moola team announced the incident on Twitter, appealing to the CEX-funded attacker to return funds in exchange for a bounty.
A guilty conscience or a planned whitehat?
This attack was a simple price manipulation which didn’t require any coding.
Using initial funding of 243k CELO (~$180k), the attacker supplied 60k CELO in order to borrow 1.8M of the protocol’s native token, MOO, which could itself be used as collateral to borrow against other assets.
Then, using the remaining CELO to buy MOO on Ubeswap, the attacker pumped the price of their MOO collateral…
…allowing them to borrow the remaining assets on the protocol, draining all liquidity:
8.8M CELO ($6.5M)
765k cEUR ($0.7M)
1.8M MOO ($0.6M)
644k cUSD ($0.6M)
Attacker's address: 0x95b5579b323ddc6cd290bd4da6e56ba019588efc
In addition to returning the majority of the funds, the whitehat also donated 50k CELO ($37k) of the bounty to Impact Market, a protocol focused on providing UBI for vulnerable families in developing countries.
Bear markets offer easy opportunities to market manipulators, who find it easier to move prices when liquidity is low. Especially when smaller protocols allow use of their native tokens as collateral, whose dollar value dies away as the bear drags on.
Moola Markets have learned their lesson, and are proposing to remove MOO as a viable collateral asset via protocol governance.
But anyone with deep enough pockets can stress test DeFi markets in their current state.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
18 quadrillion dollars. That’s the theoretical value of the 60 trillion aBNBc that was illegitimately minted from Ankr. Unfortunately, that’s more than the GDP of the entire world, and the aBNBc liquidity couldn’t stretch that far, so the hacker only got away with $5M.
SBF’s meltdown has gone from bad, to worse, to weird. The facade has fallen, and all his “beliefs” have turned out to be bullshit. The crypto movement is bigger than the failures of the past week, or at least, it will be...
Deribit has lost $28M from their hot wallets on the Ethereum and Bitcoin networks. As with all cases of “compromised keys”, only insiders can say for certain what caused the breach, but we have our usual suspects…