Decentralized finance (DeFi) platform Moola Market has suffered a security incident leading to a loss of up to $9m worth of cryptocurrency.
The Celo blockchain-based platform admitted the incident in a tweet posted at 19:03 BST on Tuesday, October 18. In a thread, the Moola Market team stated: “We are actively investigating an incident on @Moola_Market. All activity on Moola has been paused. Please do not trade mTokens.
“To the exploiter, we have contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours.”
Several hours later, it appeared the hacker had negotiated a “bounty” for returning most of the funds taken by the attacker. Moola Market tweeted: “Following today’s incident, 93.1% of funds have been returned to the Moola governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community about next steps, and to safely restart operations of the Moola protocol.”
Later on, the company again took to Twitter to provide an update on the incident. It said that an “unknown attacker” started manipulating the price of MOO on Ubeswap, allowing them to manipulate the MOO time weighted average price (TWAP) oracle used by the Moola protocol. This meant they were able to borrow a large amount of cUSD, cEUR and CELO from the protocol using MOO as collateral, “effectively draining the protocol of its funds.”
Moola Market then revealed that 10 minutes after tweeting about its willingness to negotiate a bounty payment, it received a direct message from someone claiming to be the attacker who controlled the private key that was custodying the bulk of the funds. This led to 93.1% of the funds being returned to an “admin multi-sig used by Moola.”
The incident bears similarities to a $177m exploit suffered by Mango Markets last week (October 11), in which the hacker negotiated to keep $47m of the funds as a “bounty.”
Analyzing the cases, blockchain security platform CertiK explained: “In both cases, the attacker borrowed the illiquid native token of the lending platform, manipulated the price higher, and then used this newly-inflated value of their collateral to borrow more of the protocol’s assets.”
CertiK continued: “Users who have assets deposited into similar lending platforms should investigate to see if their assets are at similar risk of being drained by such a strategy. Collateral assets should be highly liquid, which makes this kind of manipulation much more difficult.”
The incidents follow an FBI warning issued in August 2022 that cyber-criminals are increasingly exploiting bugs in decentralized finance (DeFi) platforms to steal investor funds.
Generally, crypto thefts have become more prevalent following the soaring value of digital money in recent years. Earlier this month (October 2022), a hacker stole $570m from a popular cross-chain bridging service.