Decentralized finance (DeFi) application Compound has paused the supply of four prominent tokens to protect users against a potential market manipulation attack – a new type of exploit that has seen over $100 million in stolen funds this month alone.
Tokens 0x (ZRX), yearn finance (YFI), basic attention token (BAT) and maker (MKR) will no longer be lent to users on Compound v2, the protocol’s latest version.
“An oracle manipulation-based attack analogous to the one that cost Mango Markets $117 [million] is much less likely to occur on Compound due to collateral assets having much deeper liquidity than MNGO and Compound requiring loans to be over-collateralized,” Paul Lei, a risk manager at modeling tool Gauntlet, wrote in the proposal on Tuesday.
“However, out of an abundance of caution, we propose pausing supply for the above assets, given their relative liquidity profiles,” Lei added.
The move came after a proposal floated by Compound’s governance community was passed Tuesday morning with over 99% of all voters in favor, with some 554,000 COMP staked to vote. Crypto data provider Gauntlet was the biggest voter, with some 126,000 COMP staked as votes, followed by Compound founder Robert Leshner, who staked some 70,000 COMP.
The proposal, floated initially in September, flagged low liquidity for the four tokens on Compound as a potential attack vector for market manipulation exploits.
Developers wrote at the time that attackers could manipulate lending markets on Compound to be able to illicitly borrow funds in excess of their holdings. They also flagged a more sophisticated strategy that would exploit the pricing difference on two assets that use different oracles, or third-party services that fetch data from outside a blockchain to within.
Market manipulations: The new crypto exploit strategy
Mango, like other decentralized exchanges (DEX), relied on smart contracts to match trades between decentralized finance (DeFi) users. This is key to understanding how such exploits take place: Smart contracts are wholly decentralized and are not overseen by a centralized party – which means a rogue trader can deploy enough money to exploit loopholes in any protocol without the risk of anyone stepping in to stop the attack before it takes place.
In such exploits, rogue traders use initial funding to buy up a relatively illiquid spot token, which often leads to the prices of that token shooting up in a very short time span.
As spot prices increase, the rogue trader then uses the artificially inflated tokens as collateral to quickly borrow other tokens – with the motive of eventually draining all funds from the attacked protocol.
It’s important to note that the above manipulation strategy won't work on two centralized exchanges, because a trader placing high bids on one venue would mean prices automatically move higher on that exchange and other exchanges immediately raise the price of assets on their own systems – meaning the strategy is unlikely to net any profits.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.