Decentralized lending protocol Compound has stopped the availability of 4 tokens as lending collateral on its platform, planning to safeguard users against potential attacks involving cost manipulation, like the recent $117 million exploit of Mango Markets, based on an offer on Compound’s governance forum which was lately passed.
Using the pause, users won’t be able to deposit Yearn.finance’s YFI (YFI), 0x’s ZRX, Fundamental Attention Token (BAT) and Maker’s MKR (MKR) as collateral to consider loans.
The proposal handed down March. 25 with 99% of voters for. It mentioned:
“An oracle manipulation-based attack similar to the one which cost Mango Markets $117m far less prone to occur on Compound because of collateral assets getting much much deeper liquidity than MNGO and Compound requiring loans to become over-collateralized. However, from a good amount of caution, we advise pausing supply for that above assets, given their relative liquidity profiles.”
Inside a security overview of Compound v2 performed in September, the Volt Protocol team identified potential market manipulation risks associated with low-liquidity tokens. The report described:
“The attack can be done when the quantity of an expression borrowable on markets like Aave and Compound is big when compared to liquid market. The most known example is ZRX, that has borrowable liquidity on all these markets similar to or more than the typical daily volume across all centralized and decentralized exchanges.”
On Twitter, Robert Leshner, founding father of Compound, described the conservative approach wouldn’t impact existing users.
Following a @mangomarkets exploit, @gauntletnetwork has suggested disabling new supply which are more thinly traded collateral.
This conservative approach will not impact existing users, and encourages the migration of usage to Compound III (that is up against the attack vector). https://t.co/yMQDgRXru7
— Robert Leshner (@rleshner) October 21, 2022
On March. 11, Avraham Eisenberg, the hacker behind the Mango Markets exploit, manipulated the need for a published collateral — the platforms’ native token, MNGO — to greater prices, then required out significant loans from the inflated collateral, which drained Mango’s treasury.
The exploiter, self-referred to as an electronic art dealer on Twitter, claimed he along with a group of online hackers began a “highly lucrative buying and selling strategy” which was “legal open market actions, while using protocol as designed.”
Following a proposal within the Mango’s governance forum was approved, Eisenberg was permitted to help keep $47 million like a “bug bounty” while $67 million was delivered back towards the treasury.
