MOAR Finance Flash Loan Attack
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Moar Finance is a decentralized lending protocol. The protocol suffered from a Flash Loan attack on November 10th, which saw the attacker make off with $116k worth of funds. This left a bad debt in the protocol, which the team subsequently repaid. There does not appear to be any loss to affected users.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21]
About MOAR Finance
"MOAR is a derivative-aware, cross-chain, and operationally safe lending protocol embedded with accessible financial tooling and derivatives primitives. MOAR is built on the latest version of Solidity, can handle ERC-721 (the token for NFTs and frequently used for derivatives), and fully supports UNION Finance’s C-OP instrument (a decentralized Put) for collateral optimization natively. Built on Ethereum, MOAR will emphasize a user-friendly front-end replete with features like one-click capital optimized borrowing and yield strategy access, a proprietary liquidation program, embedded derivative support, DEX integration, structured credit products, interest rate swaps, term deposits, and cross-chain connections to BSC and Polkadot — with more L1’s planned for the future."
"Utilize derivatives to increase borrow power, hedge liquidation risk, and provide fixed rate yield curves." "Provide sophisticated, easy-to-use portfolio management tools; user-set liquidation controls, DEX, and advanced yield instruments." "Limitless financial and technology composability by building on interoperable protocols: Polkadot, BSC, more." "Minimize transaction and risk management costs through a mix of Layer 2, gas protection contracts, and Layer 1 bridging."
On June 21st, 2021, "MOAR’s first closed Beta was completed with great success!" "Peckshield, the tier 1 auditor whom we locked in Mid May for auditing MOAR started their work as agreed on June 14th. Their estimate to complete the first round of audit is 5 weeks, and we have planned an additional 1–2 weeks to address their findings. While we have seen other projects charge into Mainnet without audits or mid-audit, we continue to prioritize security when it comes to user funds."
On July 31st, the project launched "in Guarded Phase with conservative measures around our innovative features to vet stability in Mainnet." "The integration work for Polygon was completed in August and the team is developing our No-Interest Loan (NIL) using the Curve pools combined with Beefy aggregator for automatic interest pay down." "Our work with taking Ribbon’s covered Bitcoin pool and ETH pool has passed final testing!" "As shared in the last product update, the work on Polygon has already been completed. We have continued evaluating the gas situation in Ethereum and recognize the challenge of most users to operate on this layer."
On November 10th, 2021 "[a]t 7:32 PM UTC MOAR lending platform suffered a flash loan attack leaving $116k of bad debt." "Do not deposit into platform until further notice."
"Borrows have been disabled. All borrows will be rejected. Repay still works." "UNN / MOAR borrow factors are set to 35% again." "This allows legitimate borrowers who borrowed against UNN / MOAR to repay and not be liquidated."
"MOAR / UNN borrow factors reduced from 35% to 0%. Deposit rates temporarily set to 0 as all assets were 100% utilized and paying out high rates. We are evaluating ways to pay down attacker's 116k bad debt. This would free up depositor collateral for withdrawal. Borrowers are still responsible for paying their legitimate borrows. Do not deposit new funds until further updates."
"Funds to pay down the $116k bad debt has been set aside." "No MOAR tokens were sold to obtain these funds." "Existing holdings of ETH, USDC, and USDT were utilized." "25% of ETH / MOAR Uni liquidity was removed. ETH will be used as part of payment. MOAR will be kept in Treasury." " To prevent further attacks, paydown and next steps will be announced after paydown is completed." "You are still responsible to pay down your own borrows." "If you borrowed against UNN or MOAR, you are strongly advised to pay down the borrow after we pay down the bad debt."
"In the coming weeks UNN / MOAR borrow factor will be set to 0 until oracles feeds are available."
"We have confirmation from @AscendEx_global that UNION accounts and positions are unaffected by the hack. Deposits and withdrawals have been temporarily suspended. We pledge support to the AscendEx team during this difficult time."
"Team is evaluating compensation." "Diamond analysis completed. A total of 344,578 MOAR will be distributed! Link to check reward will be shared early next week."
"At this time, all bad debt has been repaid. Any outstanding debt is the responsibility of the borrowers themselves to repay."
"Starting the year off the right way! Telegram is here for everyone. We ask previouly banned users to rejoin with our most sincere apologies. This community deserved and will get better! Appreciate your continued support and patience."
"Next steps to re-enable borrows are to set MOAR and UNN to 0 borrow factor the week of Dec. 6th, until Oracle solution found. Please manage your liquidity!" "That means, they will not contribute any collateral value to your borrows. If you have borrows relying on MOAR and UNN, you may fall into negative liquidity and be considered for liquidation. We are giving plenty of advance warning (along with our tweets last week) so you have time to manage liquidity."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
Date | Event | Description |
---|---|---|
November 10th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $116,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
The total amount recovered has been estimated at $116,000 USD.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
This was a minor loss which happened in an audited smart contract hot wallet. Security could have been improved through the use of a better price oracle and getting audits from multiple firms. While it is certainly possible to have more funds in an offline mlti-sig cold storage, the loss was relatively small, and can easily be recovered by a treasury self-insurance or industry insurance fund.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://mobile.twitter.com/MOARFinance/status/1458785126150725637 (Jan 8, 2022)
- ↑ https://mobile.twitter.com/MOARFinance/status/1473434296979443714 (Jan 8, 2022)
- ↑ https://mobile.twitter.com/UNNFinance/status/1470105060176715776 (Jan 8, 2022)
- ↑ https://moardefi.finance/ (Jan 8, 2022)
- ↑ More Moar Product Issue 5 (Jan 8, 2022)
- ↑ Moar Launches In Guarded Phase (Jan 8, 2022)
- ↑ More Moar Product Issue 8 (Jan 8, 2022)
- ↑ More Moar Product Issue 9 (Jan 8, 2022)
- ↑ More Moar Product Issue 10 (Jan 8, 2022)
- ↑ https://mobile.twitter.com/MOARFinance/status/1458623631655849987 (Jan 8, 2022)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Jan 8, 2022)
- ↑ https://mobile.twitter.com/MOARFinance/status/1458817636293304327 (Jan 8, 2022)
- ↑ https://mobile.twitter.com/MOARFinance/status/1458860259494219783 (Jan 8, 2022)
- ↑ https://mobile.twitter.com/MOARFinance/status/1459148147222056971 (Jan 8, 2022)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Jan 8, 2022)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Jan 8, 2022)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Jan 8, 2022)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Jan 8, 2022)
- ↑ https://mobile.twitter.com/MOARFinance/status/1460620725832798215 (Jan 8, 2022)
- ↑ https://mobile.twitter.com/MOARFinance/status/1461750703827861507 (Jan 8, 2022)
- ↑ Diamond Rewards v1.1 - Google Sheets (Jan 8, 2022)