Hacker Drains $100M from DeFi Platform Mango Markets

  • The attacker was able to manipulate the price of MNGO, which increased the collateral value of his account and allowed him take out massive loans.
  • The individual has proposed to send back the stolen funds if Mango Markets agrees to pay back bad debt using its remaining USDC and not pursue a criminal investigation.
hacker

Shutterstock

Solana-based decentralized finance (DeFi) platform Mango Markets has suffered from a price manipulation exploit, which saw the exchange lose more than $100 million, the platform said on Twitter on 12 October.

According to the announcement, a hacker was able to manipulate the price of the exchange’s native token, Mango (MNGO), which allowed him to take out “massive loans” from Mango’s treasury. The team behind the project quickly disabled deposits “as a precaution”, took steps to have “third parties freeze funds in flight”, and asked the attacker to contact them to discuss a bug bounty.

“We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.”

The attacker first deposited $5 million in USDC on Mango, which he used to open an outsized long position in MNGO-PERP. The prices of the token then jumped substantially in a “matter of minutes”, causing the collateral value of the attacker’s account to increase, and allowing him to take massive debt positions on Mango Market’s borrowing and lending platform. The account in question has since withdrawn $50 million in USDC, $26.7 million of mSOL, and nearly $24 million worth of SOL.

An update from the DeFi platform later indicated Mango’s team was able to contact the involved parties, which showed a “willingness to negotiate”. The platform stated that the best course of action right now would be to “continue communicating with those responsible”, and eventually “resolve the issue amicably”.

The hacker later made a proposal on Mango’s governance platform, requesting that Mango uses its remaining $70 million in USDC to repay bad debt within the protocol, with the debt being viewed as a bug bounty. The individual said he would return the stolen funds if the platform also promises to not pursue a criminal investigation or freeze his funds.

Discussion
Related Coverage
FTX Owes Over $3B to Top 50 Creditors, Liquid Pauses All Trading
  • New bankruptcy court filings revealed that FTX owed its top 50 creditors around $3 billion, with sums ranging from $21 million and $226 million.
  • Japanese crypto exchange Liquid, which was acquired by FTX in May, suspended all trading on its platform only five days after pausing crypto and fiat withdrawals.
November 21, 2022, 12:08 PM
FTX

Shutterstock

FTX Bankruptcy Filing Says it May Have Over 1M Creditors
  • A new document filed with the bankruptcy court in Delaware shows that troubled crypto exchange FTX may have more than one million creditors.
  • FTX has also filed a motion to group its more than 100 entities that are filing for bankruptcy together, rather than treating them as individual cases.
FTX Hacked, Exchange Under Investigation in the Bahamas
  • Shortly after filing for bankruptcy on Friday, FTX experienced a hack that saw close to $500 million in tokens leaving the exchange.
  • The Bahamas Securities Commission and the Financial Crimes Investigation Branch of the police have launched an investigation into the exchange to check if any criminal misconduct took place in FTX.