Decentralized lending protocol Compound has paused the supply of four tokens as lending collateral on its platform, aiming to protect users against potential attacks involving price manipulation, similar to the recent $117 million exploit from Mango Market’s, according to a proposal on Compound’s governance forum.
With the pause, users will not be able to deposit yearn finance (YFI), 0x (ZRX), basic attention token (BAT) and maker (MKR) tokens as collateral to take loans.
The proposal passed on Oct. 25 with 99% of all voters in favor. It stated:
“An oracle manipulation-based attack analogous to the one that cost Mango Markets $117m is much less likely to occur on Compound due to collateral assets having much deeper liquidity than MNGO and Compound requiring loans to be over-collateralized. However, out of an abundance of caution, we propose pausing supply for the above assets, given their relative liquidity profiles.”
In a security review of Compound v2 performed in September, the Volt Protocol team identified potential market manipulation risks related to low-liquidity tokens. The report explained:
“The attack is possible when the amount of a token borrowable on markets like Aave and Compound is large compared to the liquid market. The most notable example is ZRX, which has borrowable liquidity on each of these markets comparable to or greater than the usual daily volume across all centralized and decentralized exchanges.”
On Twitter, Robert Leshner, founder of Compound, explained that the conservative approach won’t impact existing users.
This conservative approach won’t impact existing users, and encourages the migration of usage to Compound III (which is resistant to the attack vector). https://t.co/yMQDgRXru7
— Robert Leshner (@rleshner) October 21, 2022
On Oct. 11, Avraham Eisenberg, the hacker behind the Mango’s Market exploit, manipulated the value of a posted collateral — the platforms’ native token, MNGO — to higher prices, then took out significant loans against the inflated collateral, which drained Mango’s treasury.
The exploiter, self-described as a digital art dealer on Twitter, claimed that he and a team of hackers undertook a “highly profitable trading strategy” and that it was “legal open market actions, using the protocol as designed.”
After voting a proposal in the Mango’s governance forum, Eisenberg was allowed to keep $47 million as a “bug bounty”, while $67 million was sent back to the treasury.