On 10 December, 2022 at 1:21:34 AM UTC, Mu Coin was flash loan attacked for approximately 45 ETH ($57K) on AVAX. The attack took advantage of differences in price between the token in the LP pools and the token price obtained by buying bonds, resulting in a smart contract that is vulnerable to economic arbitrage. Mu coin founder Jon Vaughn acknowledged the attack and is attempting to raise the price back to levels similar before the incident.
On 10 December, 2022 at 1:21:34 AM UTC, our CertiK Skynet system noticed a suspicious flash loan on AVAX. After further investigation, CertiK analysts confirmed it to be a price manipulation attack. The attacker gained 57,659 USDC which they then swapped to 45.1 ETH and sent to cBridge followed by Tornado Cash.
This is a good example of an oracle manipulation attack. This system of contracts forms a bond system that allows user’s to exchange USDC for equivalent tokens. However, it is vulnerable to flash loan attacks as the bonds are based on a single pair of LP pools defined by both Mu coin/Mu Gold and Mu coin/USDC.
This type of attack usually occurs as follows:
Below is the pattern of transfers used to see how the attacker withdrew Mu Coin and Mu Gold using USDC to pay for it. Essentially the attacker bought cheaper Mu Coin and Mu Gold then used it to arbitrage the pools.
Following the attack, Mu Coin founder Jon Vaughn addressed the attack via the official Discord server. He begins with stating that he “Made a huge blunder.”
Vaughn is still active in Discord and trying to recover the project, citing he, “learned a valuable lesson,” from the incident. The recovery will not be easy as, at the time of writing, token Mu Gold (MUG) is down 94% and Mu Coin (MU) is down 84%. Nevertheless, the project remains active and seeks to recapture the momentum it lost.
Swapped to 45.1 ETH: 0x864b6
Sent to cBridge: 0x03257b
Sent to Tornado Cash:
Attacker contract: 0xe6c17
Victim contract (MuBank): 0x4aa679402c6afce1e0f7eb99ca4f09a30ce228ab
Pair 1 MUG-MU Pair (Flash loaned): 0x67d9aab77beda392b1ed0276e70598bf2a22945d
Pair 2 MU- USDC Pair (Swapped for): 0xfacb3892f9a8d55eb50fdeee00f2b3fa8a85ded5
There is a pricing issue between the token price in the LP pools versus the token price obtained by buying bonds. As a result, the contract is vulnerable to arbitrage and is inherently an economic and smart contract design issue.
The attacker took 57,659 USDC, swapped it for 45.1 ETH, and then sent it to cBridge in the following transaction.
All 45.1 ETH were eventually transferred to Tornado Cash, a digital asset obfuscation service.
The Mu Coin incident may be a recent incident however the impact can already be seen top-down throughout the project. This incident has been a set back for the development of the project as it appears to negatively impacted the founder’s invested asset profile in the project. The founder has deemed this to be a, ‘100K blunder'. Fortunately for the project, user assets appear to be intact but the slippage in price for both $MU and $MUG no doubt caused fear, uncertainty, and doubt in the community. For being a smaller project, the community remains active and the founders and developers interact on a daily basis. Strong community is key to strong recovery and within the Web3 ecosystem we are all apart of the community at large. Our goal at CertiK is to foster a safer and stronger community for all. With smart contract auditing you can secure your own project’s spot in the web3 community. Get audited today at certik.com!