Hacker returns $7.8 million stolen from Moola Market

Quick Take

  • An unknown hacker has returned funds stolen from a lending protocol called Moola Market.
  • The activity on the protocol remains paused for the time being.
 

The Moola Market hacker has returned the majority of funds that were stolen though an exploit.

On Tuesday, Moola Market, a lending protocol on the Celo blockchain, suffered an $8.4 million exploit. Hours later, the attacker returned 93.1% of the stolen funds ($7.8 million) to Moola's wallet.

"Following today's incident, 93.1% of the funds have been returned to the Moola governance multi-sig," the team tweeted.

The attacker kept the remaining funds some 700,000 CELO tokens ($518,000) as a negotiated bounty reward that the team had previously offered. 

How the Moola attack unfolded

The attacker took advantage of the low liquidity of MOO, the native token on Moola's lending protocol on the Celo blockchain. They inflated the value of MOO on a decentralized exchange called Ubeswap and leveraged the tokens as collateral to drain user assets deposited into the protocol, according to Igor Igamberdiev, research director of data at The Block.

More specifically, the attacker started out with 243,000 CELO tokens ($182,000) held in their address on the Celo network. The next step was depositing 60,000 CELO tokens on Moola and borrowing 1.8 million MOO tokens. The attacker then used their remaining CELO tokens to rapidly inflate the price of MOO.

The perpetrator moved on to leverage the increased value of their MOO tokens as collateral to borrow other assets in a loop. By using just $182,000 in CELO, they were able to drain 8.8 million CELO ($6.5 million), 765,000 cEUR ($700,000), 1.8 million MOO ($600,000), and 644,000 cUSD ($600,000) from Moola Market, per on-chain transactions.

Moola was able to recover $7.8 million in what is turning to be a normal phenomenon for DeFi exploits. Estimates from The Block show that of more than $213 million stolen during October, $93 million was later returned by the hackers.

While the project has recovered most of its funds, the activity on the lending protocol remains paused for the time being. The lending service will be resumed only after community discussions on the next steps, the team noted.


© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s Crypto Ecosystems Editor and has spent over seven years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal can be reached on Twitter at @vishal4c and via email at [email protected]