Moola Market Reveals $9m Crypto Exploitation
Decentralized finance (DeFi) platform Moola Market has suffered a security incident that has resulted in a loss of up to $9 million in cryptocurrency.
The Celo blockchain-based platform admitted the incident in a chirping posted at 19:03 BST Tuesday 18 October. In a thread, the Moola Market team stated: “We are actively investigating an incident at @Moola_Market. All activity at Moola has been paused. Please do not exchange mTokens.
“To the exploiter, we have contacted the police and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours.”
Several hours later, it appeared the hacker had negotiated a “bounty” to return most of the funds the attacker took. Moola Market tweeted: “Following today’s event, 93.1% of funds have been returned to Moola’s governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community on next steps, and to safely restart the operation of the Moola protocol.”
Later, the company again took to Twitter to provide one Update on the incident. It said an “unknown attacker” began manipulating the price of MOO on Ubeswap, allowing them to manipulate the MOO time-weighted average price (TWAP) oracle used by the Moola protocol. This meant they were able to borrow a large amount of cUSD, cEUR and CELO from the protocol using MOO as collateral, “effectively draining the protocol of its funds.”
Moola Market then revealed that 10 minutes after tweeting about its willingness to negotiate a bounty payment, it received a direct message from someone claiming to be the attacker who controlled the private key that held the bulk of the funds. This led to 93.1% of the funds being returned to an “admin multi-sig used by Moola.”
The incident bears similarities to a $177 million exploit suffered by Mango Markets last week (October 11), where the hacker negotiated to keep $47 million of the funds as a “bounty.”
Analyzing the cases, blockchain security platform CertiK explained: “In both cases, the attacker lent the illiquid original token to the lending platform, manipulated the price higher and then used this newly inflated value of the security to borrow more of the protocol’s assets.”
CertiK continued: “Users who have assets deposited on similar lending platforms should investigate whether their assets are similarly at risk of being drained by such a strategy. Collateral should be highly liquid, which makes this kind of manipulation much more difficult.”
The incidents follow an FBI warning issued in August 2022 that cybercriminals are increasingly exploiting flaws in decentralized finance (DeFi) platforms to steal investor funds.
In general, crypto thefts have become more widespread after the skyrocketing value of digital money in recent years. Earlier this month (October 2022), a hacker stole $570 million from a popular blockchain service.