FEATURED

⁩Moola Market exploited, attacker returns 93% of funds

Published

1 year ago

October 19, 2022

The Celo money market, Moola, reported investigating an incident on the platform, and activities on Moola have been paused. Moola mentioned that they have contacted law enforcement and taken steps to make it difficult for the exploiter to liquidate the funds. However, Moola said users should not trade mTokens.

The Celo-based lending and borrowing protocol Moola Market lost over $10 million equivalent tokens due to the incident. The platform has offered a negotiation on a bounty payment if the attacker returns the funds within the next 24 hours. “Following today’s incident, 93.1% of funds have been returned to the Moola governance multi-sig,” Moola reported.

Moola added that they have continued to pause all activities on the platform, follow up with the community on the next line of action, and restart operations on the Moola protocol.

The moola market exploit was the second of its kind in the last few weeks.

How the Moola Attack Took Place

According to Moola, an unknown attacker manipulated the price of MOO on Ubeswap starting at 4:04 pm UTC on 18th October 2022. The attacker manipulated the MOO TWAP price oracle used by the Moola protocol and borrowed a large amount of cUSD, cEUR, and CELO using MOO as collateral. This move drained the protocol of its funds.

After Moola reached out for negotiation, in about 10 minutes, the team got a message from a person who claimed to be the attacker and said that they controlled the

private key that was custodying the bulk of the funds. As Moola initiated a negotiation, the attacker was persuaded to return 93.1% of the funds.

Based on Moola’s recommendation, the team confirmed that ‘the attacker donated a portion of the unreturned funds to ImpactMarket, a Moola Market depositor.”