After draining $116 million worth of funds from Mango Markets, Avraham Eisenberg attempted to perform the same trick on Aave but failed.
This highlights some risks in the decentralised finance (DeFi) lending space, especially for illiquid tokens.
Here’s a breakdown of what happened to these protocols, and how DeFi lending may not be that foolproof.
How does DeFi lending work?
Platforms like Aave, Compound and Mango Markets act as a bank to lend out your funds to interested borrowers.
However, this is done differently from a bank as there is no middleman involved in the entire process. These platforms will use smart contracts to connect lenders to borrowers, and transactions will be executed when certain conditions are met.
Everything is done in code, so there is no bias or Know Your Customer (KYC) requirements. These platforms are thus operating in a trustless manner.
If you want to take a loan from these platforms, you will need to supply your assets as collateral.
These loans are over-collateralised, meaning that the funds you supplied will be greater than the amount you can borrow.
In the event that you are unable to pay back your loan, the platform is able to cover its losses with the funds that you supplied as collateral.
How was Mango Markets hacked?
While other DeFi protocols had their smart contracts hacked which resulted in the loss of funds, Mango Markets was actually exploited due to oracle price manipulation.
Oracles help to send data from the outside world to the blockchain. This allows smart contracts to be executed based on external data. In the case of Mango Markets, the third-party data that the oracle provided was the price of MNGO, the native token of Mango Markets.
In fact, the largest oracle in the crypto world, Chainlink, just announced LINK staking to secure the price data feed of the ETH/USD trading pair, and you can find out more about it here.
Avraham Eisenberg, the man behind the exploit, manipulated the price of MNGO by using 2 wallets:
- Wallet A bought 5 million USDC worth of MNGO and shorted it (i.e. betting that the price will fall)
- Wallet B bought the same amount of MNGO to hedge the position
The hacker then used more funds to buy up even more MNGO tokens, which have rather low liquidity.
A token with low liquidity means that there is very little trading volume, and this makes it more susceptible to price manipulations.
With the large buy volumes of spot MNGO tokens, this led to a rise in price from 2 cents to 91 cents.
With this huge increase in price, the exploiter now had enough collateral to take out huge loans which amounted to $116 million.
This was because the price of MNGO rose by almost 4,500%, which led to his initial 5 million USDC investment in MNGO shooting up in price.
As a result, the exploiter was able to drain all liquidity in Mango Markets.
Mango Markets was left with a lot of bad debt, while the exploiter made away with a huge amount of money!
This was not due to a fault by the price oracle, which was working as intended.
However, this ‘hack’ was possible by manipulating the markets of illiquid tokens, like what was done for MNGO.
Avraham Eisenberg later announced that he was the hacker, and offered to return $67 million of the stolen funds.
Aave was next
Eisenberg tried this exploit on Aave, the largest DeFi lending platform based on Total Value Locked (TVL).
This time round, the token that was being targeted was the CRV token, the native token of Curve Finance.
After depositing USDC into Aave, he borrowed the CRV token and attempted to short-sell the token.
However, what he did not expect was that Curve Finance released their whitepaper for their very own stablecoin, which led to a price pump of the CRV token.
While Eisenberg’s attempt to manipulate Aave was thwarted, this still left Aave with some bad debt amounting to $1.6 million.
To prevent future attacks of such illiquid tokens, these money market platforms tried to apply some measures.
A new proposal was raised by the Aave community to freeze the markets of volatile assets, while Compound set borrow caps on 10 tokens to avoid market manipulation.
A similar attack happened to Lodestar Finance
Unfortunately, another money market platform was attacked, this time on the Arbitrum network.
It was mentioned that the exploiter artificially “pumped the price of an illiquid collateral asset which they then borrow against, leaving the protocol with irretrievable debt.”.
This time, it was the pvGLP token that was used in the exploit, and the exploiter was able to drain $7 million worth of Total Value Locked (TVL) from the protocol.
Is DeFi lending really safe?
Supplying your funds and earning an interest rate is rather appealing, but these recent exploits highlight the risks of DeFi lending platforms.
Illiquid tokens can be subject to price manipulations, which have the potential to drain the entire platform of all the funds that you supplied!
It is good to see that these platforms recognise the risks involved, and are taking measures to prevent such an attack from happening again.
At Krystal, we’ve integrated with 3 different money market platforms, including Aave, Compound and Venus.
However, if DeFi lending is not really your thing, we’ve just added another passive income option for you!
We have partnered with Lido Finance and Ankr to provide liquid staking options for 5 different assets (BNB, AVAX, MATIC, ETH, FTM).
Deposit your funds and earn passive income in our all-in-one platform now!
🔍 Navigate the DeFi Space NOW with Krystal!
Start your journey NOW on Desktop, iOS or Android