Blog Post

Tracking the $9.1 Million Moola Market Exploit

October 19, 2022

Suffice to say October 2022 has further solidified its dubious legacy, already ranking comfortably among the worst ever in the history of DeFi and cryptocurrency at large.

In the midst of a month which has already witnessed over $700 million lost to DeFi attacks, including the $570 million Binance Hack, Moola Market has become the latest multi-million dollar victim.

On October 18th, 2022, Moola Market was exploited, with hackers making off with roughly $9.1 million spread across a number of different tokens. Within hours following the exploit, the attacker has returned over 93% of the more than $9 million worth of cryptocurrencies they exploited from the Celo blockchain-based decentralized finance (DeFi) lending protocol Moola Market.

The Attack at a Glance

Moola Market is a non-custodial liquidity protocol on the Celo ecosystem that is democratizing access to yield and credit.

The AnChain.AI threat intelligence team has identified the attacker’s wallet address as:

The stolen funds are broken down as follows, and are being continuously monitored by the AnChain team:

TokenUSD8.8 million $CELO$6.6 million765k $cEUR$0.7 million1.8 million $MOO$1.2 million644k $cUSD$0.6 million

Tracing the Funds

Around October 18, 2022 at 04:02:09 PM, the attacker funded the wallet 0x5dae2c3d5a9f35bfaf36a2e6edd07c477f57789e with a total of 182,087.399 CELO valued at $134,744.68 at the time of the transaction.  

About 1,000,000.00 CELO valued at $740,000.00 at the time of the transactions was subsequently transferred from 0x5dae2c3d5a9f35bfaf36a2e6edd07c477f57789e to the following wallet addresses:

  • 0x26c300b0d1613c8929aff50cc9f833878d2417d0
  • 0xf9184d0c49218c1a0a7d80015c0f01e568029fba
  • 0xec0220fd2a8e95243f29441c244ff9b3b5a0fd88
  • 0x2fa5911f6366d5e08e47874ea92f1b028fb30bc8
  • 0x5dd9453bcc6651817f1f79a136e890795650b295
  • 0xd369a2d142a2967d0a537a46eb73e69afa10bdd6
  • 0xd7ee300baa020c8c40bd55dfcb03c58333191b65
  • 0xc3c9ee4c3f151d4fca03b1c8f2283072a2e89f51

The attacker then moved the funds to a second cluster of addresses:

  • 0x53f38e8f4878a189e8dbe7979c7cc4e8d5fbbc78
  • 0xc3c9ee4c3f151d4fca03b1c8f2283072a2e89f51
  • 0x26c300b0d1613c8929aff50cc9f833878d2417d0
  • 0xf9184d0c49218c1a0a7d80015c0f01e568029fba
  • 0x5dae2c3d5a9f35bfaf36a2e6edd07c477f57789e

After which the funds convened at 0xd868839E0964052c3ff70ec626A30516d73C799d before making a hop to the primary Moola Market exploiter wallet, 0x95B5579b323Ddc6cd290Bd4DA6e56BA019588EfC.  

Since then, around 8,126,912.722279805125286141 CELO valued at $6,013,915.41in USD has been transferred to 0xd7f77169d5e6a32c5044052f9a49eb94697b25ed.

How It Happened

The anatomy of the attack breaks down as follows:

  • Attacker bought $MOO with $CELO through a series of transactions
  • Attacker used $MOO as collateral to borrow more $CELO
  • Attacker bought $MOO with the borrowed $CELO, which continued to raise the price of $MOO
  • The collateralized lending contract used real-time prices when pair lending, which allowed the attacker to continue to borrow $CELO
  • Repetition of this process increased the price of $MOO from 0.02 $CELO to .73 $CELO
  • The attacker then was able to borrow the remaining assets on the protocol, draining all liquidity

Additional source:

Moola Market Attacker Returned 93% of Funds

Moola Market attempted to negotiate with the attackers, stating that it would negotiate a bounty payment in return for the funds.

Just hours after the initial confirmation of the exploit, the attackers returned over 93% of the funds exploited, with the attacker seemingly keeping the rest. This made the bug bounty around $500,000.

“Following today’s incident, 93.1% of funds have been returned to the Moola governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community about next steps, and to safely restart operations of the Moola protocol. (1/2)”

— Moola Market (@Moola_Market) October 18, 2022

Recap & Conclusion

While the $9.1 Million dollar price tag of this exploit and the eventual resolution may soften the blow when compared to the $100 million plus disasters that have already rocked the Web3 ecosystem in recent months, it does represent the continuation of a worrying trend. It has become all too clear that as innovation and capital in DeFi continue to balloon, so too does the motivation of hackers, scammers, and other bad actors.

Auditing on the basis of code alone is no longer enough.  Properly securing a smart contract platform requires thorough a examination of the functionality and logic as well.

Interested in enhancing the security of your DeFi project? Contact us at to schedule a demo, and for the latest updates follow us on Twitter @AnChainAI