After draining $116 million worth of funds from Mango Markets, Avraham Eisenberg attempted to perform the same trick on Aave but failed.
Furthermore, Lodestar Finance lost $5.8 million from a similar attack by another hacker.
This highlights some risks in the decentralised finance (DeFi) lending space, especially for illiquid tokens.
Here’s a breakdown of what happened to these protocols, and how DeFi lending may not be that foolproof.
How does DeFi lending work?
Platforms like Aave, Compound and Mango Markets act as a bank to lend out your funds to interested borrowers.
However, this is done differently from a bank as there is no middleman involved in the entire process. These platforms will use smart contracts to connect lenders to borrowers, and transactions will be executed when certain conditions are met.
Everything is done in code, so there is no bias or Know Your Customer (KYC) requirements. These platforms are thus operating in a trustless manner.
If you want to take a loan from these platforms, you will need to supply your assets as collateral.
These loans are over-collateralised, meaning that the funds you supplied will be greater than the amount you can borrow.
In the event that you are unable to pay back your loan, the platform is able to cover its losses with the funds that you supplied as collateral.
How was Mango Markets hacked?
While other DeFi protocols had their smart contracts hacked which resulted in the loss of funds, Mango Markets was actually exploited due to oracle price manipulation.
We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation.
— Mango (@mangomarkets) October 11, 2022
We are taking steps to have third parties freeze funds in flight. 1/
Oracles help to send data from the outside world to the blockchain. This allows smart contracts to be executed based on external data. In the case of Mango Markets, the third-party data that the oracle provided was the price of MNGO, the native token of Mango Markets.
In fact, the largest oracle in the crypto world, Chainlink, just announced LINK staking to secure the price data feed of the ETH/USD trading pair, and you can find out more about it here.
Avraham Eisenberg, the man behind the exploit, manipulated the price of MNGO by using 2 wallets:
- Wallet A bought 5 million USDC worth of MNGO and shorted it (i.e. betting that the price will fall)
- Wallet B bought the same amount of MNGO to hedge the position
2/ attacker then offered out 483mm units of MNGO perps on the order book pic.twitter.com/OX9kP4rsyQ
— Joshua Lim (@joshua_j_lim) October 12, 2022
The hacker then used more funds to buy up even more MNGO tokens, which have rather low liquidity.
A token with low liquidity means that there is very little trading volume, and this makes it more susceptible to price manipulations.
With the large buy volumes of spot MNGO tokens, this led to a rise in price from 2 cents to 91 cents.
4/ at 6:26 PM ET, attacker started to move the price of MNGO spot mkt, it traded as high as $0.91 pic.twitter.com/uRQefwdhQE
— Joshua Lim (@joshua_j_lim) October 12, 2022
With this huge increase in price, the exploiter now had enough collateral to take out huge loans which amounted to $116 million.
This was because the price of MNGO rose by almost 4,500%, which led to his initial 5 million USDC investment in MNGO shooting up in price.
As a result, the exploiter was able to drain all liquidity in Mango Markets.
6/ it looks like that effectively wiped out all available liquidity on mango pic.twitter.com/3fm0FqqA0U
— Joshua Lim (@joshua_j_lim) October 12, 2022
Mango Markets was left with a lot of bad debt, while the exploiter made away with a huge amount of money!
This was not due to a fault by the price oracle, which was working as intended.
Jesus, the attacker pumped and dumped the mango token, which is a thinly traded token.
— Kanav Kariya (@KanavKariya) October 12, 2022
Oracles just report the price. Pyth/Switchboard accurately reported the prevailing prices on exchanges
However, this ‘hack’ was possible by manipulating the markets of illiquid tokens, like what was done for MNGO.
Avraham Eisenberg later announced that he was the hacker, and offered to return $67 million of the stolen funds.
To remedy the situation, I helped negotiate a settlement agreement with the insurance fund with the goal of making all users whole as soon as possible as well as recapitalizing the exchange.
— Avraham Eisenberg (@avi_eisen) October 15, 2022
Aave was next
Eisenberg tried this exploit on Aave, the largest DeFi lending platform based on Total Value Locked (TVL).
This time round, the token that was being targeted was the CRV token, the native token of Curve Finance.
After depositing USDC into Aave, he borrowed the CRV token and attempted to short-sell the token.
However, what he did not expect was that Curve Finance released their whitepaper for their very own stablecoin, which led to a price pump of the CRV token.
.@CurveFinance has released the whitepaper for its $crvUSD stablecoin 🪙$crvUSD will use a novel lending-liquidating AMM algorithm, or ‘LLAMMA’, to protect borrowers whose collateral drops below the liquidation price.$CRV token jumped 15% on the news 📈 pic.twitter.com/Jvb9cwcELT
— The Defiant (@DefiantNews) November 22, 2022
While Eisenberg’s attempt to manipulate Aave was thwarted, this still left Aave with some bad debt amounting to $1.6 million.
2/6 A large CRV borrow that had been building up for the last week was mostly cleared by the protocol liquidation process. However, the position was not covered entirely & 2.64M CRV (≈ $1.6M at current value) remains. This represents < 0.1% of the borrows on the protocol.
— Aave (@AaveAave) November 22, 2022
The aftermath
To prevent future attacks of such illiquid tokens, these money market platforms tried to apply some measures.
A new proposal was raised by the Aave community to freeze the markets of volatile assets, while Compound set borrow caps on 10 tokens to avoid market manipulation.
DeFi lender Compound to set borrow caps on 10 crypto collateral assetshttps://t.co/fsM0oZdUwR
— The Block (@TheBlock__) November 29, 2022
A similar attack happened to Lodestar Finance
Unfortunately, another money market platform was attacked, this time on the Arbitrum network.
Protocol was exploited and deposits have been drained. We have set all interest rates to 0 so that supply and borrow balances are not moving while we weigh recovery options. What we know right now:
— Lodestar Finance (💙,🧡) (@LodestarFinance) December 10, 2022
It was mentioned that the exploiter artificially “pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt.”.
According to CertiK, Lodestar hackers “artificially pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt." https://t.co/mRsLMhh93v
— Cointelegraph (@Cointelegraph) December 12, 2022
This time, it was the pvGLP token that was used in the exploit, and the exploiter was able to drain $7 million worth of Total Value Locked (TVL) from the protocol.
Is DeFi lending really safe?
Supplying your funds and earning an interest rate is rather appealing, but these recent exploits highlight the risks of DeFi lending platforms.
Illiquid tokens can be subject to price manipulations, which have the potential to drain the entire platform of all the funds that you supplied!
It is good to see that these platforms recognise the risks involved, and are taking measures to prevent such an attack from happening again.
At Krystal, we’ve integrated with 3 different money market platforms, including Aave, Compound and Venus.
However, if DeFi lending is not really your thing, we’ve just added another passive income option for you!
We have partnered with Lido Finance and Ankr to provide liquid staking options for 5 different assets (BNB, AVAX, MATIC, ETH, FTM).
Deposit your funds and earn passive income in our all-in-one platform now!
🔍 Navigate the DeFi Space NOW with Krystal!
Start your journey NOW on Desktop, iOS or Android
📱 Social Media
- Follow us on Telegram:
Announcements | Krystal Global | Krystal Vietnam 🇻🇳| Krystal Turkey 🇹🇷 | Krystal Africa 🌍 | Krystal Indonesia 🇮🇩 | Krystal India 🇮🇳 | Krystal Bangladesh 🇧🇩 - YouTube