On Tuesday, a hacker exploited a vulnerability in the Celo-based Moola Market lending protocol and stole $8.4 million. But in a turn of events, the hacker restored 93.1% of the stolen cash on Wednesday morning.
The Celo blockchain platform confirmed the occurrence in a tweet at 19:03 BST on Tuesday, October 18. After learning of the vulnerability, Moola Market abruptly shut down their service. The Moola Market team acknowledged the hack in a tweet that read:
“We are actively investigating an incident on @Moola_Market. All activity on Moola has been paused. Please do not trade mTokens.”
This attack is the latest of several others already recorded this month. The attackers drained the Moola protocol by artificially inflating the value of the native MOO tokens. This allowed them to borrow against their positions without risking their own funds.
How The Attack Happened On The Moola Market
The exploit happened at 2:00 p.m. October 18th, during which the hacker reportedly stole $8.4 million through network manipulation. According to Moola developers, “an unknown attacker started manipulating the price of MOO on Ubeswap, allowing the attacker to manipulate the MOO TWAP price oracle used by the Moola protocol.” Oracles are external services that bring data into a blockchain from elsewhere.
The hacker collected 243k CELO from Binance, according to data Igor Igamberdiev’s research team retrieved from the blockchain. Then he borrowed 1.8 million MOO (Moola’s Native Token) from Moola by lending 60k CELO as collateral. After that, he started pumping MOO with the rest of the CELO, driving the price from $0.018 to $5.6 in about an hour.
Before the token price plummeted to $0.36, he used the borrowed MOO as collateral to borrow more coins. This allowed him to acquire $8.8 million (6.5 million CELO), $750,000 (765,000 cEUR), $655,000 (1.8 million MOO), and $639,000 (644,000 cUSD). Everything took place on the Ubeswap decentralized exchange.
Hacker Returns 93.1%, Keeps $500,00 As Bounty
After discovering the vulnerability, the Moola Market team acted swiftly to fix it. Moola halted all platform operations, and law enforcement was alerted minutes after the incident. The platform sent a message to the attacker through Twitter. The hacker was notified of the actions in place to prevent liquidating the stolen assets. Moola also brought up the possibility of a bounty.
Within 10 minutes of Moola Market’s tweet, the hacker contacted them. The team negotiated the return of more than 93% of the stolen assets, approximately $7.8 million. Moola did not reveal the exact bounty price. But the money returned to the protocol suggests it is well over $500,000.
Moreover, Moola Market clarified that it would take steps to prevent similar attacks in the future. A governance vote is ongoing for proposal ID9, which limits MOO’s LTV and liquidation requirements, removing it as collateral. They said their plan would fix the platform’s security flaws that allowed for the attack. In addition, if this proposal is approved, it may continue operations without compromising safety.
Featured image from Pixabay and chart from TradingView.com