After Mango Market exploit, Compound pauses four tokens to protect against price manipulation

Published at: Oct. 25, 2022

Decentralized lending protocol Compound has paused the supply of four tokens as lending collateral on its platform, aiming to protect users against potential attacks involving price manipulation, similar to the recent $117 million exploit from Mango Market's, according to a proposal on Compound's governance forum. 

With the pause, users will not be able to deposit yearn finance (YFI), 0x (ZRX), basic attention token (BAT) and maker (MKR) tokens as collateral to take loans.

The proposal passed on Oct. 25 with 99% of all voters in favor. It stated:

"An oracle manipulation-based attack analogous to the one that cost Mango Markets $117m is much less likely to occur on Compound due to collateral assets having much deeper liquidity than MNGO and Compound requiring loans to be over-collateralized. However, out of an abundance of caution, we propose pausing supply for the above assets, given their relative liquidity profiles."

In a security review of Compound v2 performed in September, the Volt Protocol team identified potential market manipulation risks related to low-liquidity tokens. The report explained: 

"The attack is possible when the amount of a token borrowable on markets like Aave and Compound is large compared to the liquid market. The most notable example is ZRX, which has borrowable liquidity on each of these markets comparable to or greater than the usual daily volume across all centralized and decentralized exchanges."

On Twitter, Robert Leshner, founder of Compound, explained that the conservative approach won't impact existing users. 

Following the @mangomarkets exploit, @gauntletnetwork has proposed disabling new supply for the most thinly traded collateral.This conservative approach won't impact existing users, and encourages the migration of usage to Compound III (which is resistant to the attack vector). https://t.co/yMQDgRXru7

— Robert Leshner (@rleshner) October 21, 2022

On Oct. 11, Avraham Eisenberg, the hacker behind the Mango's Market exploit, manipulated the value of a posted collateral — the platforms’ native token, MNGO — to higher prices, then took out significant loans against the inflated collateral, which drained Mango’s treasury.

The exploiter, self-described as a digital art dealer on Twitter, claimed that he and a team of hackers undertook a “highly profitable trading strategy” and that it was “legal open market actions, using the protocol as designed.”

After voting a proposal in the Mango's governance forum, Eisenberg was allowed to keep $47 million as a “bug bounty”, while $67 million was sent back to the treasury.

Tags
Related Posts
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit
Decentralized finance transaction combination tool Furucombo will compensate the victims of a recent “evil contract” exploit that cost the protocol $15 million in stolen funds. Following an internal call with affected users last week, Furucombo released a compensation plan Tuesday, announcing that they will issue 5 million iouCOMBO tokens to the victims of the breach. Issued in the form of ERC-20 tokens, iouCOMBO tokens will represent the rights to claim Furucombo’s COMBO tokens in the recovery pool. Out of a total of 100 million COMBO tokens, 5 million coins have been allocated to the recovery pool, and are subject to …
Technology / March 9, 2021
Moola Market attacker returns most of $9M looted for $500K bounty
An attacker has returned just over 93% of the more than $9 million worth of cryptocurrencies they exploited from the Celo (CELO) blockchain-based decentralized finance (DeFi) lending protocol Moola Market. At around 6PM UTC on Oct. 18 the Moola Market team tweeted it was investigating an incident and had paused all activity, adding it had contacted authorities and offered a bug bounty to the exploiter if funds were returned within 24 hours. Analysis of the exploit by Web3 security company Hacken shows the attacker manipulated the price of the protocols’ low-liquidity native MOO token by initially purchasing around $45,000 worth …
Defi / Oct. 19, 2022
BonqDAO protocol suffers $120M loss after oracle hack
A small-scale decentralized autonomous organization (DAO) has suffered a rather sizeable smart contract exploit leading to an estimated $120 million being stolen from its protocol. BonqDAO, which is behind the Bonq protocol, told its Twitter followers on Feb. 1 that its protocol was exposed to an oracle hack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token. Bonq protocol was exposed to an oracle hack, where exploiter increased the ALBT price and minted large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap. Then, the price was decreased to almost zero, which …
Blockchain / Feb. 2, 2023
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot
Decentralized finance (DeFi) platform Fei Protocol offered a $10 million bounty to hackers in an attempt to negotiate and retrieve a major chunk of the stolen funds from various Rari Fuse pools worth $79,348,385.61 — nearly $80 million. On Saturday, Fei Protocol informed its investors about an exploit across numerous Rari Capital Fuse pools while requesting the hackers to return the stolen funds against a $10 million bounty and a “no questions asked” commitment. We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage. To …
Blockchain / May 1, 2022