Celo’s Green

Market Meditations | October 19, 2022

Celo’s green was at risk yesterday as an attacker withdrew about $10 million from their flagship lending protocol Moola Market. Most of the funds were returned this morning, but doesn’t it sound like déjà vu?

  • Celo is a layer-1 blockchain based on the Proof of Stake mechanism. It’s fully compatible with the Ethereum Virtual Machine (EVM).
  • The leading DeFi app on Celo is Moola Market, which is a fork of Aave protocol v1. Users can earn yield on their deposits paid for by borrowers with overcollateralised loans.
  • In what looks like a copycat crime of the Mango Markets exploit, the attacker used native tokens (CELO and MOO) to artificially inflate their collateral.
  • The Block’s Igor Igamberdiev broke down the actions in a tweet thread last night, which started by obtaining 243,000 CELO tokens from Binance.
  • They used about a quarter of this CELO to borrow 1.8 million MOO tokens and then used the rest of the CELO to boost the price of MOO on Ubeswap.
  • This allowed them to borrow large amounts of USD and EUR equivalent stablecoins, draining the protocol in the process.
  • It appears as if the hacker has retained a 700k CELO bug bounty (worth about $0.5 million) after returning the funds this morning.

Chainalysis had already concluded that October 2022 was the worst month for hacks and this trend seems to be continuing.