Making $500K in a Day: Moola Market Hacker Gets a Bounty and Returns Stolen Funds
The exploit, which saw the price of MOO manipulated to provide a huge payout, originally left Moola in the hole for upwards of $9.1 million.
On the 18th of October, Moola Market – a decently sized crypto lending platform – was exploited via price manipulation of its native token, MOO, which has relatively low liquidity. However, CELO – an ecosystem that Moola Markets is part of – does not.
The exploit was similar in nature to the recent Mango Markets fiasco, as the attacker used a platform’s native token with low liquidity to perform a series of unusual trades that, while not technically illegal, do constitute an abuse of the platform.
MOO Price Driven Up By 6,400%
In order to generate a huge payout, the attacker bought about $45k worth of MOO, which was then put down as collateral to borrow CELO from the platform. Nothing out of the ordinary so far. However, the attacker used the borrowed CELO to purchase more MOO.
This alternating recursion of buying one token and using it as collateral for the other was repeated multiple times. If this endeavor had been performed with two high liquidity tokens, the effects on their prices would have been negligible.
However, since MOO is a token with very low liquidity, the constant purchase of MOO was seen by the blockchain as a sudden interest in the token, driving the price up by a staggering 6,400%. The team at Moola was quick to take notice of the mischief.
We are actively investigating an incident on @Moola_Market. All activity on Moola has been paused. Please do not trade mTokens.— Moola Market 🐮 (@Moola_Market) October 18, 2022
To the exploiter, we have contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a…
Unfortunately, by the time they took notice of the enterprising trader showing an undue amount of interest in the token, the attacker was able to manipulate the price of MOO high enough to purchase a total of $1.2 million worth of MOO, $740k CELO Euros (cEUR), $644k CELO USD (cUSD) and $6.6 million worth of CELO. All in all, about $9.1 million worth of funds were borrowed, starting from an initial deposit of $45k.
Getting Back on Track
Once Moola devs noticed of the trades, they immediately reached out to the attacker via Twitter, promising legal action if funds were not returned within 24 hours. It’s important to note that the platform would have had limited legal recourse in case the attacker refused.
However, the two parties seem to have reached an agreement rather quickly.
“Following today’s incident, 93.1% of funds have been returned to the Moola governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community about next steps, and to safely restart operations of the Moola protocol.”
The remaining $500k seems to represent a bug bounty for the enterprising attacker – a much smaller sum than they initially made, but nevertheless a 1,000%+ return on his original investment of $45k.