After Mango Markets Abuse, Compound 4 Tokens Pauses To Protect From Price Manipulation

Decentralized lending protocol Compound has paused the delivery of four tokens as loan collateral on its platform, aiming to protect users from potential price manipulation attacks, similar to Mango Markets’ recent $117 million exploit, according to a proposal on Compound’s board forum that was recently passed.

With the hiatus, users will not be able to deposit’s YFI (YFI), 0x’s ZRX, Basic Attention Token (BAT), and Maker’s MKR (MKR) as collateral to take out loans.

The proposal was passed on October 25 with 99% of all voters in favor. It stated:

“An oracle-based attack, analogous to the one that cost Mango Markets $117 million, is much less likely to occur on Compound because collateral assets have much deeper liquidity than MNGO and Compound, which require loans to be over-collateralised. However, as a precaution, we propose to interrupt the delivery of the above assets, given their relative liquidity profiles.”

In a Compound v2 security study conducted in September, the Volt Protocol team identified potential market manipulation risks related to low-liquidity tokens. The report explained:

“The attack is possible when the amount of a token that can be borrowed in markets such as Aave and Compound is large compared to the liquid market. The most notable example is ZRX, which has borrowable liquidity comparable in each of these markets. with or greater than the usual daily volume across all centralized and decentralized exchanges.”

On Twitter, Compound founder Robert Leshner explained that the conservative approach would not affect existing users.

Following on from the @mangomarkets exploit, @gauntletnetwork has proposed to disable the new offering for the most sparsely traded collateral.

This conservative approach does not affect existing users and encourages the migration of usage to Compound III (which is resistant to the attack vector).

— Robert Leshner (@rleshner) October 21, 2022

On October 11, Avraham Eisenberg, the hacker behind the Mango Markets exploit, manipulated the value of a posted collateral — the platform’s native token, MNGO — into higher prices, then took out significant loans against the inflated collateral, draining Mango’s coffers. .

The exploiter, who described himself on Twitter as a digital art dealer, claimed that he and a team of hackers engaged in a “highly profitable trading strategy” and that it was “legal open market action, using the protocol as designed”.

After a proposal was approved in Mango’s board forum, Eisenberg was allowed to keep $47 million as a “bug bounty” while $67 million was returned to the Treasury.

Leave a Comment