[TheRecord] Collapse of Luna cryptocurrency leads to $11 million exploit on Venus Protocol

Venus Protocol, a decentralized money market, announced on Thursday evening that about $11 million had been lost due to people exploiting the historic collapse of the Luna cryptocurrency and its sister stablecoin UST.

The team behind the Venus Protocol released a statement confirming suspicions that had been floating around for hours about the potential mishandling of the fiasco around Luna. 

“Today, we became aware of errant price behavior for LUNA on Venus Protocol. Upon investigation, it was learned that the price feed had been paused by Chainlink due to extreme market conditions,” Venus Protocol explained. 

“The price on Venus was last listed at about $0.107 while the market price was $0.01. In order to de-risk this situation, the protocol was paused using PauseGuardian via multisig. Upon this desyncing event, it was discovered that 2 accounts had suspiciously deposited a sum of 230,000,000 LUNA valued at over $24,000,000. Assets were borrowed totalling around $13,500,000.”

Venus Protocol Official Statement Regarding LUNA: https://t.co/6Yvel7eAAk

— Venus Protocol (@VenusProtocol) May 12, 2022

Venus Protocol and several other platforms use Chainlink to provide its users with real-time price estimations of the tokens on its platform that are available for lending and borrowing.

But the tool began having issues with Luna on Thursday as the price continued to fall precipitously. 

why does chainlink price oracle have min price setting? luna dropped below $0.1 but the chainlink oracle’s min price is $0.1🤡 https://t.co/kplZ66Ei54

— Zoeyuuu (@zzzzoey_t) May 12, 2022

“As a result, it was possible to deposit UST and LUNA as collateral and borrow other tokens, with an underpriced collateral valuation. Liquidable accounts also depend on the Chainlink oracles,” decentralized finance researcher Vali Dyor explained

Chainlink released its own statement on the issues with its oracles, saying that the minimum value circuit breaker for the LUNA/USD Price Feeds was automatically triggered due to the “unprecedented volatility across the cryptocurrency markets.”

They explained that the circuit breaker is one component of their security efforts that is used to “protect against flash crashes and other forms of market manipulation.”

The attack on Venus Protocol was the reverse of a popular hack used to attack decentralized finance platforms.

Flash loan attacks — which involve hackers borrowing funds that do not require collateral, buying a significant amount of a cryptocurrency to artificially raise its price and then offloading the coins before the loan is paid back and the borrower keeps any profit — have been used to attack several platforms in recent months.  

But Chainlink noted that the triggering of the circuit breaker was not a “a manual intervention by node operators, Chainlink Labs, or other third parties.”

“Some users proactively paused their applications, while other users were informed of the impacted feeds and reminded to immediately pause their application’s use of the feeds in accordance with best practices outlined in the Chainlink documentation,” Chainlink said.

“The LUNA/USD Price Feeds are now operational, but not recommended based on the asset’s risk profile. We will be learning from this set of market events to continually improve the protocol’s approach to circuit breaker parameters and other layers of security across various oracle networks.”

Official team statement on the Chainlink LUNA/USD Price Feeds situation pic.twitter.com/EjA5naYalu

— ChainLinkGod.eth (@ChainLinkGod) May 13, 2022

Venus Protocol has decided to suspend the LUNA market effective immediately at the request of its users and has a “Risk Fund” that will be used to cover the shortfall caused. 

All wallets that have a position with Luna will be disabled temporarily as they disable the market. 

“Subsequently, a VIP will be prepared asking the community to set the collateral factor for LUNA to 0, after which the Chainlink price feed will be re-enabled which will allow withdrawals and liquidations. Venus is also assessing the UST Situation carefully and will take further actions as necessary,” they explained. 

Early on Friday morning, the protocol announced that it was “pausing” for 48 hours and that no liquidations would be allowed. 

ℹ️ Venus will unpause in 48 hours (per the time lock).

⏸ All liquidity is still contained within the protocol and no liquidations will take place during this period.

📰 We will continue to provide updates until Venus is unpaused.

— Venus Protocol (@VenusProtocol) May 13, 2022

As the price of Luna cratered overnight, exchanges and markets were forced to make difficult choices on how to approach the cryptocurrency. 

Binance stopped all trading of Luna and UST on its platform but the moves have done little to stop all cryptocurrency values from being depressed across the board.

The post Collapse of Luna cryptocurrency leads to $11 million exploit on Venus Protocol appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ESET] BackdoorDiplomacy: Upgrading from Quarian to Turian

All posts, ESET feed

ESET researchers discover a new campaign that evolved from the Quarian backdoor The post BackdoorDiplomacy: Upgrading from Quarian to Turian appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[BleepingComputer] Largest US propane distributor discloses ‘8-second’ data breach

America’s largest propane provider, AmeriGas, has disclosed a data breach that lasted ephemerally but impacted 123 employees and one resident. AmeriGas servers over 2 million customers in all 50 U.S. states and has over 2,500 distribution locations. […] Source: Read More (BleepingComputer)

Read More

[HackerNews] Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds

All posts, HackerNews

Three security vulnerabilities have been disclosed in the popular Wyze Cam devices that grant malicious actors to execute arbitrary code and access camera feeds as well as unauthorizedly read the SD cards, the latter of which remained unresolved for nearly three years after the initial discovery. The security flaws relate to an authentication bypass (CVE-2019-9564), […]

Read More