Moola Market – a decently sized crypto lending platform – was exploited via price manipulation of its native token, MOO, which has relatively low liquidity. The platform is working on a remedy to avoid future exploits.

Celo-based lending protocol Moola Market found more than $10 million worth of tokens stolen and returned this morning after a market manipulation attack.

The flaw, the second of its kind in recent weeks, resulted in attackers manipulating the price of Moola’s native MOO token to borrow collateral to bolster their positions – effectively draining the log.

We are actively investigating an incident on @Moola_Market. All activity on Moola has been paused. Please do not trade mTokens.

To the exploiter, we have contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a…
— Moola Market 🐮 (@Moola_Market) October 18, 2022

Moola developers said the attack began late in Tuesday’s Asian session. “An unknown attacker began manipulating the price of MOO on Ubeswap, which allowed the attacker to manipulate the MOO TWAP price oracle used by the Moola protocol,” they wrote.

The attackers borrowed large amounts of cUSD and cEUR from the protocol, backed by MOO, two Celo-based stablecoins pegged to the US dollar and euro respectively, and CELO, effectively draining the protocol’s funds. The developers paused trading on the platform at that time.

Attacker Returns Stolen Funds to Moola Market

The developers said they contacted law enforcement shortly after discovering the issue. After a while, someone identified as the attacker contacted the team to confirm his involvement. This person holds the private key to the stolen funds — an encrypted value, similar to the password of a block on the blockchain. The attacker agreed to send the funds back.

Following today's incident, 93.1% of funds have been returned to the Moola governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community about next steps, and to safely restart operations of the Moola protocol.
— Moola Market 🐮 (@Moola_Market) October 19, 2022

The attacker returned those funds to an admin multisig used by Moola. Afterwards based on our recommendation the attacker donated a portion of the unreturned funds to ImpactMarket, a Moola Market depositor that provides UBI in financially under-banked communities around the world
— Moola Market 🐮 (@Moola_Market) October 19, 2022

The attackers also donated a portion of the unreturned funds to ImpactMarket, a Moola Market escrow institution that provides a Universal Basic Income (UBI) to financially underserved communities around the world.

Moola is currently working on a governance proposal to close the loophole that led to the exploit, but is urging that it be fixed as soon as possible so the system can boot again. The protocol seeks to lower the liquidation levels that govern MOO’s use as collateral on the platform – effectively “removing it as a viable collateral asset.”

Moola Market Loses Over $10M in Market Manipulation Attack

Attacker Returns Stolen Funds to Moola Market