Moola Market Manipulation

Why Liquidity Matters for Lending Protocols

By Professor Ronghui Gu, Co-Founder, CertiK

On October 18, 2022, Moola Market – a non-custodial liquidity protocol operating on the Celo blockchain – suffered a loss of approximately $8 million. The incident was the result of an attacker manipulating the price of the platform’s native $MOO token, which allowed them to use the inflated price of their $MOO collateral to borrow additional tokens from the platform.

The attack flow was nearly identical to the Mango Markets incident that occurred the week prior, in which an attacker also borrowed the illiquid native token of the lending platform, manipulated the price higher, and then used this newly inflated value of their collateral to borrow an outsized amount of the protocol’s assets.

In both cases, the attacker returned most of the funds they had obtained. Moola Markets negotiated with the attacker, who returned 93.1% of the funds in return for a $500,000 bounty payment. While this prevented Moola liquidity providers from being as negatively impacted as they could have been, DeFi platforms cannot rely on retroactive bounties from attackers who decide to adopt the role of a white hat hacker after the fact.

The market liquidity of a token should be a primary consideration when deciding which assets can be used as collateral on a lending platform. Illiquid tokens introduce a much greater risk of being manipulated in a way that breaks the intended functioning of the platform. In the case of the Moola incident, the attacker only required approximately $133k worth of $CELO to pump the price of $MOO from $0.018 to a peak of $3.58, representing a gain of nearly 20,000%.

In deeper, more liquid markets, the cost of such an attack increases dramatically. It would take an astronomic amount of money to manipulate the price of blue-chip assets by the same magnitude.

This was a flaw in the design of the protocol. It was not the result of an error in the platform’s smart contract, but rather a lack of foresight when choosing which assets could be used as collateral. While it remains unclear who the perpetrator of the Moola Market manipulation was, they would likely defend their actions not as an attack on the protocol but rather as a “highly profitable trading strategy,” to use the words of the Mango Markets exploiter.

Lending platforms want to incentivize the usage of their token, and allowing it to be used as collateral asset is one way of doing so. However, if liquidity is insufficient to prevent attacks such as these, this ends up being a short-sighted strategy, as there is unlikely to be any demand for the token of a broken platform that opened its users up to potentially devastating losses.

In addition to the careful selection of collateral assets, DeFi platforms have a range of tools at their disposal to protect their protocols and its users. On-chain monitoring services such as Skynet that continuously scan the blockchain for suspicious activity can raise the alarm minutes before an attack can be carried out.

Careful design choices, pre-deployment auditing, and post-deployment monitoring can all combine to raise a protocol’s level of security to the highest possible standard. A meaningful commitment to security is not just the right thing to do, it’s also a no-brainer from a business standpoint. DeFi protocols that take security seriously demonstrate to potential users that they intend to be around for the long term, which is crucial when it comes to attracting the liquidity and day-to-day usage that makes a platform thrive.

DeFi’s transparency is one of its greatest strengths. It means on-chain security incidents can be quickly diagnosed and addressed, not just by the team behind a platform that suffered the exploit but also by the developers of other platforms that may share similar vulnerabilities. But these lessons are not always learned as quickly as they should be, which leads to DeFi’s transparency becoming one of its greatest liabilities. Copycat attacks are trivial to carry out when the exact attack flow of a previously successful exploit is permanently written into the chain.

The fact that Moola Markets suffered the same fate as Mango Markets did just a week prior is illustrative of this conundrum. In order to make transparency a powerful strength rather than a critical weakness, DeFi and Web3 projects need to move quickly to address vulnerabilities and mitigate risks as soon as they appear. Security does not end after a project is deployed. It needs to be integrated into all steps of the process, from design, to deployment, and beyond.

About the Author

Professor Gu is the Tang Family Assistant Professor of Computer Science at Columbia University. He holds a Ph.D. in Computer Science from Yale University and a bachelor’s degree from Tsinghua University. He is the primary designer and developer of CertiKOS and SeKVM. Gu has received: an SOSP Best Paper Award, a CACM Research Highlight, and a Yale Distinguished Dissertation Award.  Prof. Gu is on Twitter at @guronghuieric and CertiK’s company website is http://certik.com/