Cyber Incident Victim: Moola Market
Date:
Oct 2022
Location:
United States of America
Summary
A decentralized finance platform suffered a $9 million cryptocurrency exploit when an attacker manipulated the price of its native token (MOO) on a decentralized exchange, distorting the protocol's price oracle to borrow substantial amounts of cUSD, cEUR, and CELO using inflated MOO collateral. The platform paused all operations, engaged law enforcement, and negotiated with the attacker, resulting in 93.1% of the stolen funds being returned. The attack methodology mirrored a previous incident involving another lending protocol, where illiquid collateral tokens were exploited to drain assets, highlighting systemic vulnerabilities in protocols relying on manipulable price feeds. Blockchain analysts noted such exploits underscore risks associated with insufficiently liquid collateral in lending platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 18, 2022, decentralized finance platform Moola Market, operating on the Celo blockchain, disclosed a security incident resulting in the loss of approximately $9 million in cryptocurrency. The platform announced via Twitter at 19:03 BST that it was actively investigating the breach and had paused all activity, advising users not to trade mTokens. Moola Market’s initial public statement included a direct appeal to the exploiter, confirming contact with law enforcement and efforts to obstruct fund liquidation, while offering to negotiate a bounty for the return of stolen assets within 24 hours. Within hours, the platform reported that 93.1% of the funds had been returned to its governance multi-signature wallet, though operations remained suspended pending further community consultation and safety measures. Subsequent updates attributed the attack to an unknown actor who manipulated the price of MOO tokens on decentralized exchange Ubeswap, artificially inflating the MOO time-weighted average price (TWAP) oracle utilized by Moola’s protocol. This manipulation enabled the attacker to borrow substantial quantities of cUSD, cEUR, and CELO stablecoins using MOO as collateral, effectively draining the protocol’s liquidity.
Ten minutes after Moola’s bounty offer, an individual claiming responsibility contacted the team via direct message, demonstrating control over a private key holding the majority of stolen funds. This communication facilitated the partial recovery, with returned assets transferred to an administrative multi-sig wallet. The incident mirrored a $177 million exploit against Mango Markets on October 11, 2022, where the attacker retained $47 million as a negotiated bounty. Blockchain security firm CertiK analyzed both cases, noting attackers borrowed illiquid native platform tokens, inflated their collateral value through market manipulation, and leveraged this to drain other protocol assets. CertiK emphasized the risk to users of similar lending platforms, particularly those with insufficiently liquid collateral, which increases vulnerability to such strategies. The breach occurred amid heightened law enforcement warnings, including an August 2022 FBI advisory on rising DeFi platform exploits targeting investor funds, and followed a separate $570 million cross-chain bridge theft earlier in October 2022. Moola Market’s public communications focused exclusively on incident containment, fund recovery negotiations, and operational suspension, with no disclosure of long-term financial impacts or user compensation plans at the time of reporting.