Collapse of Luna cryptocurrency leads to $11 million exploit on Venus Protocol
Venus Protocol, a decentralized money market, announced on Thursday evening that about $11 million had been lost due to people exploiting the historic collapse of the Luna cryptocurrency and its sister stablecoin UST.
The team behind the Venus Protocol released a statement confirming suspicions that had been floating around for hours about the potential mishandling of the fiasco around Luna.
“Today, we became aware of errant price behavior for LUNA on Venus Protocol. Upon investigation, it was learned that the price feed had been paused by Chainlink due to extreme market conditions,” Venus Protocol explained.
“The price on Venus was last listed at about $0.107 while the market price was $0.01. In order to de-risk this situation, the protocol was paused using PauseGuardian via multisig. Upon this desyncing event, it was discovered that 2 accounts had suspiciously deposited a sum of 230,000,000 LUNA valued at over $24,000,000. Assets were borrowed totalling around $13,500,000.”
Venus Protocol Official Statement Regarding LUNA: https://t.co/6Yvel7eAAk
— Venus Protocol (@VenusProtocol) May 12, 2022
Venus Protocol and several other platforms use Chainlink to provide its users with real-time price estimations of the tokens on its platform that are available for lending and borrowing.
But the tool began having issues with Luna on Thursday as the price continued to fall precipitously.
why does chainlink price oracle have min price setting? luna dropped below $0.1 but the chainlink oracle's min price is $0.1https://t.co/kplZ66Ei54
— Zoeyuuu (gm, )(@zzzzoey_t) May 12, 2022
“As a result, it was possible to deposit UST and LUNA as collateral and borrow other tokens, with an underpriced collateral valuation. Liquidable accounts also depend on the Chainlink oracles,” decentralized finance researcher Vali Dyor explained.
Chainlink released its own statement on the issues with its oracles, saying that the minimum value circuit breaker for the LUNA/USD Price Feeds was automatically triggered due to the "unprecedented volatility across the cryptocurrency markets."
They explained that the circuit breaker is one component of their security efforts that is used to "protect against flash crashes and other forms of market manipulation."
The attack on Venus Protocol was the reverse of a popular hack used to attack decentralized finance platforms.
Flash loan attacks — which involve hackers borrowing funds that do not require collateral, buying a significant amount of a cryptocurrency to artificially raise its price and then offloading the coins before the loan is paid back and the borrower keeps any profit — have been used to attack several platforms in recent months.
But Chainlink noted that the triggering of the circuit breaker was not a "a manual intervention by node operators, Chainlink Labs, or other third parties."
"Some users proactively paused their applications, while other users were informed of the impacted feeds and reminded to immediately pause their application's use of the feeds in accordance with best practices outlined in the Chainlink documentation," Chainlink said.
"The LUNA/USD Price Feeds are now operational, but not recommended based on the asset's risk profile. We will be learning from this set of market events to continually improve the protocol's approach to circuit breaker parameters and other layers of security across various oracle networks."
Official team statement on the Chainlink LUNA/USD Price Feeds situation pic.twitter.com/EjA5naYalu
— ChainLinkGod.eth (@ChainLinkGod) May 13, 2022
Venus Protocol has decided to suspend the LUNA market effective immediately at the request of its users and has a “Risk Fund” that will be used to cover the shortfall caused.
All wallets that have a position with Luna will be disabled temporarily as they disable the market.
“Subsequently, a VIP will be prepared asking the community to set the collateral factor for LUNA to 0, after which the Chainlink price feed will be re-enabled which will allow withdrawals and liquidations. Venus is also assessing the UST Situation carefully and will take further actions as necessary,” they explained.
Early on Friday morning, the protocol announced that it was “pausing” for 48 hours and that no liquidations would be allowed.
Venus will unpause in 48 hours (per the time lock).
— Venus Protocol (@VenusProtocol) May 13, 2022
⏸ All liquidity is still contained within the protocol and no liquidations will take place during this period.
We will continue to provide updates until Venus is unpaused.
As the price of Luna cratered overnight, exchanges and markets were forced to make difficult choices on how to approach the cryptocurrency.
Binance stopped all trading of Luna and UST on its platform but the moves have done little to stop all cryptocurrency values from being depressed across the board.
DeFi platform Blizz Finance announced that it was attacked in the same way Venus Protocol was and will be shutting down because of the attack.
They said the protocol was "drained" before it could stop the process. More than $8.3 million was lost.
We have built on the AVAX ecosystem in good faith with the expectation that @chainlink oracles would behave as expected. Sorry to those affected.
— Blizz Finance (@BlizzFinance) May 13, 2022
"Blizz has no treasury or development fund and a significant portion of the stolen assets belonged to our team. As such we regret to announce the protocol has been paused and we do not intend to resume operations," the protocol said in a statement.
"We will be shutting down the front-end and closing official communication channels in the coming days. Funds held by the protocol in LUNA (around $1.5M or 25% or the protocol holding pre-exploit) will be distributed to users using a snapshot prior to when the attacks began."
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.