TL;DR
On Oct 18, 2022 a hacker exploited a vulnerability in the Celo-based Moola Market lending protocol and stole ~$8.4 million. The hacker restored 93.1% of the stolen cash on Oct 19, 2022.
Introduction
On October 18th, 2022 at around 4:04pm UTC, the Celo blockchain-based decentralized finance lending protocol Moola Market was exploited for approximately ~$8.4 million through network manipulation. The attacker drained the Moola protocol by artificially inflating the value of the native MOO tokens. This allowed them to borrow against their positions without risking their own funds. This attack happened on the decentralised exchange platform Ubeswap, where the hacker proceeded to borrow huge amounts the cUSD, cEUR, and CELO tokens leveraging MOO as collateral and succeeded in draining the protocol.
Attack Flow
The attacker exploited the protocol off of its design rather than using an external contract to abuse certain functions.
-
The attacker funded their account with $243,000 $CELO from Binance and borrowed ~1,875,000 $MOO by lending 60,000 $CELO as collateral.
-
The attacker repeatedly swapped and borrowed more $MOO which caused prices to climb due to low liquidity. This action artificially pumped the price of the token, and devalued all other tokens. By repeating this cycle, the attacker increased the $MOO token price from $0.018 to $5.6 in about an hour. With this process, the attacker was able to drain an entire vault. Before the token price plummeted to $0.36, the attacker used the borrowed MOO as collateral to borrow more coins. This allowed him to acquire ~$8.8 million (6.5 million CELO), $750,000 (765,000 cEUR), $655,000 (1.8 million MOO), and $639,000 (644,000 cUSD). Everything took place on the Ubeswap decentralized exchange.
Addresses
Hacker: 0x5dae2c3d5a9f35bfaf36a2e6edd07c477f57789e
Sent hacker MOO: 0x1df15534d350377732944e5bce2fe65c5ae6766d
Moola team upgrading contract: InitializableImmutableAdminUpgradeabilityProxy | Address 0x928f63a83217e427a84504950206834cbda4aa65 | CeloScan
Profit and Assets Tracing
Moola Market Exploiter Address 0x95b5579b323ddc6cd290bd4da6e56ba019588efc | CeloScan ~7.5m
Address 0x562d82dafdc7fb930e040f7c4da31967ded1b1f2 | ~1.2m
Funds Returned
Moola Market revealed in a tweet that 10 minutes after tweeting about its willingness to negotiate a bounty payment, it received a direct message from the attacker. This led to 93.1% of the funds being returned to an “admin multi-sig” used by Moola. Moola did not announce the exact bounty price, but the money returned to the protocol suggests it is well over $500,000 (or ~700k $CELO).The attacker also donated a portion of the unreturned funds to ImpactMarket, a Moola Market depositor that provides UBI in financially under-banked communities around the world.
More and more DeFi companies are implementing bug bounty programs. It’s no surprise that malicious actors are enticed to steal $14 billion in cryptocurrency during 2021 alone. With cryptocurrency bounties reaching six to seven figures, the pressure for traditional bug bounty programs to up their game will mount, as top hackers will adapt their skills to go where the money is.
Lessons Learned
Of all the 533 attacks this year, a number of those were able to get their funds backs through negotiations with the hackers over the past few years. While this is less desirable to a bug bounty or responsible disclosure program, it shows that it pays to negotiate IF it does happen to you. We tracked 16 major hacks (including Moola) where funds were returned, totaling $1,086,200,000 initially taken. Through negotiating, $804,935,429 were returned by hackers-turned-white-hats leading to losses of only $281,264,571. This is still a MASSIVE number of losses compared to a bug bounty or proper security auditing, pen-testing and red-teaming, but it shows that negotiations a can work.
Conclusion
Overall, Moola Market was hacked for roughly ~$8 million dollars due to a vulnerability in the design. The exploit was similar to the $177m exploit suffered by Mango Markets on October 11, 2022 , where the lending protocol was exploited due to design and not an external contract. The Mango Markets' hacker also negotiated to keep $47M of the funds as a bounty. In both cases, the attacker borrowed the liquidity native token of the lending platform, manipulated the price to be higher, and then used this newly-inflated value of their collateral to borrow more of the protocol’s assets. These types of exploits are rising overall, and more and more hackers are coming out with increased bounties making these attacks extremely profitable for them. October has been dubbed #Hacktober due to a series of exploits that have caused a collective loss of over a billion dollars.
