DeFi lending protocol Moola Market has halted operations after it was exploited for $8.4 million worth of crypto.
In a Twitter update at 2pm ET on Tuesday, Moola Market alerted users that it was investigating an exploit and cautioned them against trading mTokens – the interesting bearing cERC-20 tokens that represent claims on deposited assets.
Analysis from The Block’s head of research Igor Igamberdiev found that the protocol was hit with a total loss of $8.4 million from the attack. The attacker stole 8.8 million CELO tokens worth $6.5 million, 765,000 cEUR tokens worth $700,000, 1.8 million MOO tokens worth $600,000 and 644,000 cUSD tokens worth $600,000.The hacker reportedly carried out the attack without writing their own smart contract, leading Igamberdiev to dub the exploit “an incredibly simple attack.”
With 243,000 CELO tokens funded from a Binance wallet, the attacker lent 60,000 CELO to Moola and borrowed 1.8 million MOO to use as collateral. The attacker then manipulated the price of MOO upwards with the balance of CELO tokens, using it as collateral to buy more tokens.
“To the exploiter, we have contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours,” tweeted the Moola team.
Several hours later, Moola Market issued an update stating that stating that 93% of the stolen funds had been returned to the Moola governance multi-sig address. However, the team said that activity on the DeFi protocol would not resume just yet and it would communicate the next steps with the community in a follow up announcement.
Another snippet of on-chain transaction data shared by Igamberdiev seemed to indicate that Moola Market had sent the exploiter a bounty of 700,000 CELO tokens. These tokens were worth around $481,000 at the time of the transfer. The hacker then attempted to send 50,000 CELO tokens earned from the bug bounty to Impact Market – a protocol that supports blockchain-based Universal Basic Income initiatives.
Marco Barbosa, the founder of Impact Market, confirmed that the tokens were donated through the protocol, clarifying that Impact had no part in the hacker’s actions.
“I can confirm that those 50K CELO were sold for cUSD and donated through Impact Market to support thousands of families from 30+ developing countries living in vulnerability as unconditional basic income,” said Barbosa on Twitter.