Moola Market

Moola Market Hack — October 18, 2022

Overview

On October 18th, 2022, Moola Market was exploited, with hackers making off with roughly $9.1 million spread across a number of different tokens on the Celo blockchain.

The Attack

An unknown attacker started manipulating the price of MOO on Ubeswap, allowing the attacker to manipulate the MOO TWAP price oracle used by the Moola protocol. The price of MOO token increased from 0.02 CELO to 0.73 CELO through repeated swaps and borrowing cycles.

With the inflated token price, the attacker was able to borrow:

• $6.6 million worth of CELO

• $1.2 million of MOO

• $740,000 of Celo Euros (cEUR)

• $644,000 Celo Dollars (cUSD)

All worth multiples more than their initial posted collateral, resulting in the protocol's loss of around $9.1 million.

Response and Recovery

Within minutes of taking cognizance of the attack, all activities on the platform were paused and law enforcement was roped in. Five hours after the initial confirmation of the exploit, Moola Market tweeted it had received just over 93% of the funds exploited, with the attacker seemingly keeping the rest, making around $500,000 as a bug bounty.

Root Cause

The main cause for the attack was Price Manipulation Vulnerability — a very common attack vector in DeFi.

Sources

• https://www.coindesk.com/markets/2022/10/19/celo-protocol-moola-market-loses-over-10m-in-market-manipulation-attack

• https://cointelegraph.com/news/moola-market-attacker-returns-most-of-9m-looted-for-500k-bounty

• https://www.anchain.ai/blog/moola-market-exploit

• https://quillaudits.medium.com/moola-market-9-million-price-manipulation-attack-quillaudits-728485ee5782

• https://www.certik.com/resources/blog/8ENVqveSYRcppTHOcxG29-moola-market

• https://crypto.news/moola-market-hacked-for-8-4million-93-1-of-stolen-funds-returned/

• https://cryptobriefing.com/moola-market-exploited-for-8-4-million/

• https://ambcrypto.com/moola-markets-exploit-its-an-october-turned-hacktober-for-the-crypto-market/