Solana-based decentralized finance (DeFi) platform Mango Markets has suffered from a price manipulation exploit, which saw the exchange lose more than $100 million, the platform said on Twitter on 12 October.
According to the announcement, a hacker was able to manipulate the price of the exchange’s native token, Mango (MNGO), which allowed him to take out “massive loans” from Mango’s treasury. The team behind the project quickly disabled deposits “as a precaution”, took steps to have “third parties freeze funds in flight”, and asked the attacker to contact them to discuss a bug bounty.
“We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.”
The attacker first deposited $5 million in USDC on Mango, which he used to open an outsized long position in MNGO-PERP. The prices of the token then jumped substantially in a “matter of minutes”, causing the collateral value of the attacker’s account to increase, and allowing him to take massive debt positions on Mango Market’s borrowing and lending platform. The account in question has since withdrawn $50 million in USDC, $26.7 million of mSOL, and nearly $24 million worth of SOL.
An update from the DeFi platform later indicated Mango’s team was able to contact the involved parties, which showed a “willingness to negotiate”. The platform stated that the best course of action right now would be to “continue communicating with those responsible”, and eventually “resolve the issue amicably”.
The hacker later made a proposal on Mango’s governance platform, requesting that Mango uses its remaining $70 million in USDC to repay bad debt within the protocol, with the debt being viewed as a bug bounty. The individual said he would return the stolen funds if the platform also promises to not pursue a criminal investigation or freeze his funds.