The decentralized lending protocol Compound has halted the production of four tokens used as collateral for loans on its platform in an effort to protect users from possible attacks involving market manipulation — comparable to the recent $117 million Mango Markets exploit.
Users will no longer be able to use Basic Attention Token (BAT), Maker’s MKR, 0x’s ZRX, Yearn.finance’s YFI or ZRX as collateral when taking out loans.
On October 25, the plan was approved by 99% of voters. Compound said that the collateral assets have considerably greater liquidity than MNGO, and the company requires loans to be over-collateralized. They stated:
“However, out of an abundance of caution, we propose pausing supply for the above assets, given their relative liquidity profiles.”
The Volt Protocol team found possible market manipulation concerns associated with low-liquidity tokens during a security evaluation of Compound v2 conducted in September. According to the report, the exploit is possible when a token’s borrowable amount on marketplaces like Aave and Compound is high compared to the market’s liquidity.
Compound’s founder, Robert Leshner, emphasized on Twitter that current users will not be affected by the precautionary measure.
Avraham Eisenberg, the hacker responsible for the Mango Markets exploit, inflated the value of posted collateral — MNGO, the platform’s native token — on October 11 and then took out large loans against the increased collateral, depleting Mango’s funds.
Self-identified as a digital art dealer on Twitter, the exploiter asserted that he and a group of hackers engaged in “legal open market actions, using the protocol as designed” and that it was a “highly profitable trading strategy.”
Eisenberg was given permission to keep $47 million as a “bug bounty” after a petition in the Mango’s governance forum was granted, and $67 million was given back to the treasury.
