Hacker Drains $100M from DeFi Platform Mango Markets

  • The attacker was able to manipulate the price of MNGO, which increased the collateral value of his account and allowed him take out massive loans.
  • The individual has proposed to send back the stolen funds if Mango Markets agrees to pay back bad debt using its remaining USDC and not pursue a criminal investigation.
hacker

Shutterstock

Solana-based decentralized finance (DeFi) platform Mango Markets has suffered from a price manipulation exploit, which saw the exchange lose more than $100 million, the platform said on Twitter on 12 October.

According to the announcement, a hacker was able to manipulate the price of the exchange’s native token, Mango (MNGO), which allowed him to take out “massive loans” from Mango’s treasury. The team behind the project quickly disabled deposits “as a precaution”, took steps to have “third parties freeze funds in flight”, and asked the attacker to contact them to discuss a bug bounty.

“We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.”

The attacker first deposited $5 million in USDC on Mango, which he used to open an outsized long position in MNGO-PERP. The prices of the token then jumped substantially in a “matter of minutes”, causing the collateral value of the attacker’s account to increase, and allowing him to take massive debt positions on Mango Market’s borrowing and lending platform. The account in question has since withdrawn $50 million in USDC, $26.7 million of mSOL, and nearly $24 million worth of SOL.

An update from the DeFi platform later indicated Mango’s team was able to contact the involved parties, which showed a “willingness to negotiate”. The platform stated that the best course of action right now would be to “continue communicating with those responsible”, and eventually “resolve the issue amicably”.

The hacker later made a proposal on Mango’s governance platform, requesting that Mango uses its remaining $70 million in USDC to repay bad debt within the protocol, with the debt being viewed as a bug bounty. The individual said he would return the stolen funds if the platform also promises to not pursue a criminal investigation or freeze his funds.

Discussion
Related Coverage
Binance Introduces NFT Loan Tool
  • Users of Binance NFT can now use select blue-chip NFT collections as collateral to take out cryptocurrency loans.
  • The platform will initially support only loans in ETH, and NFT collections Bored Ape Yacht Club, Mutant Ape Yacht Club, Azuki, and Doodles.
May 25, 2023, 3:08 PM
binance

Shutterstock

KuCoin Twitter Account Hacked, Exchange to Reimburse Losses
  • The Twitter account of the crypto exchange was compromised for roughly 45 minutes on Monday, resulting in 22 transactions connected to the hack.
  • KuCoin has calculated that the total asset losses were 22,638 USDT, and noted that it will fully reimburse users affected in the incident.
Solana to Improve Network Upgrade Process Following Last Week’s Outage
  • The Solana network experienced a noticeable slowdown in block production after its most recent 1.14 network upgrade was implemented last week.
  • In order to avoid similar issues in the future, one-third of Solana’s core engineers will now be focused on stability and adversarial testing.