Compound Pauses YFI, ZRX, BAT and MKR Supply to Protect Against Potential Exploits

Decentralized finance (DeFi) application Compound has paused the supply of four prominent tokens to protect users against a potential market manipulation attack – a new type of exploit that has seen over $100 million in stolen funds this month alone.

Tokens for 0x (ZRX), Yearn Finance (YFI), Basic Attention Token (BAT) and Maker (MKR) will no longer be lent to users on Compound v3, the protocol’s latest version.

“An oracle manipulation-based attack analogous to the one that cost Mango Markets $117 [million] is much less likely to occur on Compound due to collateral assets having much deeper liquidity than MNGO and Compound requiring loans to be over-collateralized,” Compound developers wrote on Tuesday.

“However, out of an abundance of caution, we propose pausing supply for the above assets, given their relative liquidity profiles,” they added.

The move came after a proposal floated by Compound’s governance community was passed this morning with over 99% of all voters in favor, with some 554,000 COMP staked to vote. Crypto data provider Gauntlet was the biggest voter with some 126,000 COMP staked as votes, followed by Compound founder Robert Leshner, who staked some 70,000 COMP.

The proposal, floated initially in September, flagged low liquidity for the four tokens on Compound as a potential attack vector for market manipulation exploits.

Developers wrote at the time that attackers could manipulate lending markets on Compound to be able to illicitly borrow funds in excess of their holdings. They also flagged a more sophisticated strategy that would exploit the pricing difference on two assets that use different oracles, or third-party services that fetch data from outside a blockchain to within.

Market manipulations: The new crypto exploit strategy

Market manipulation led to a $100 million exploit on Solana-based trading and lending protocol Mango Markets earlier this month. The exploit helped bring more attention to the September proposal, which initially failed to garner much attention.

Mango, like other DEXs, relied on smart contracts to match trades between decentralized finance (DeFi) users. This is key to understanding how such exploits take place: Smart contracts are wholly decentralized and are not overseen by a centralized party – which means a rogue trader can deploy enough money to exploit loopholes in any protocol without the risk of anyone stepping in to stop the attack before it takes place.

In such exploits, rogue traders use initial funding to buy up a relatively illiquid spot token, which often leads to the prices of that token shooting up in a very short time span.

As spot prices increase, the rogue trader then uses the artificially inflated tokens as collateral to quickly borrow other tokens – with the motive of eventually draining all funds from the attacked protocol.

It’s important to note that the above manipulation strategy won't work on two centralized exchanges, because a trader placing high bids on one venue would mean prices automatically move higher on that exchange and other exchanges immediately raise the price of assets on their own systems – meaning the strategy is unlikely to net any profits.