This is the second $100+ million hack that has hit decentralized finance (DeFi) this week. A few days after the NBB Chain, it was the turn of Solana (SOL) and the Mango Markets platform to suffer an attack. The hacker subtly manipulated the prices of the tokens in order to steal 114 million dollars from the protocol.
Mango Market loses $114 million
Early last night, the Mango Markets platform announced that it had been the victim of a large-scale attack, resulting in the loss of approximately $114 million. The decentralised exchange’s services have been partially suspended pending further investigation.
We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation.
We are taking steps to have third parties freeze funds in flight. 1/
– Mango (@mangomarkets) October 11, 2022
We are currently investigating an incident in which an attacker was able to drain funds from Mango via oracle price manipulation. We are taking steps to have third parties freeze the stolen funds. “
According to initial research by blockchain auditing firm OtterSec, the attack was the result of a subtle manipulation of the price of MNGO, the platform’s native token. The hacker drained $114 million from Mango Markets’ treasury.
Around 7am, the strategy used by the hacker was officially confirmed by Mango Markets. This corroborates with speculations from specialists @joshua_j_lim and OtterSec, who agree that this is a “price oracle manipulation” attack.
How the hacker did it
Specifically, the hacker would have started by depositing 5 million USDC into two different accounts. To begin with, he used his first account to open a 483 million MNGO short position on the MNGO/USDC perpetual contract, at a price of $0.03 per unit.
He then used his second account to buy this position himself by opening an up bet, causing the price of the token to jump by almost 1000% in less than an hour. Finally, the hacker applied this strategy several times to manipulate the price of the MNGO, allowing it to reach up to $0.54 per unit on various exchanges such as Ascendex or FTX.
MNGO price performance against the USDC
As a result, the Pyth and Switchboard oracles used by Mango Markets have updated the MNGO price. As a result, the hacker’s bullish position was positive by approximately $132 million.
These funds were then used to borrow against several tokens via Mango Markets, and to withdraw the funds via various assets such as USDC, MSOL, SOL, BTC and USDT. Obviously, all available liquidity on the protocol has been drained.
MNGO is currently trading around $0.02 per unit. The downside betting position opened by the hacker on his first account is therefore positive by about $12 million at the moment. However, the lack of liquidity and the suspension of trading functionality does not allow him to take his profits.
What happens next?
Some time after the fact, the hacker proposed a governance vote to the Mango DAO community. In it, he proposed to send his funds in SOL, MSOL and MNGO (about 50 million dollars) to the protocol in order to reimburse all the users harmed in this affair.
Furthermore, if the proposal is accepted, he asks that his funds not be frozen and that any legal action against him be dropped. Funnily enough, the hacker used the 32 million MNGOs he holds to vote in favour of the proposal, which is about 30% of the tokens eligible for voting.
At the same time, further research showed that the hacker’s funds were deposited from an FTX account. When questioned by an internet user, FTX CEO Sam Bankman-Fried confirmed that he had launched an internal investigation and was ready to take the necessary measures.
Can confirm we are investigating and will take any appropriate action/etc.
– SBF (@SBF_FTX) October 12, 2022
As a reminder, FTX is a centralised exchange using Know Your Customer (KYC). In other words, each user must declare his identity in order to create an account on the platform. Thus, it is very likely that the identity of the hacker can be quickly traced.
In the statement published this morning by Mango, the protocol team confirmed that “this incident has effectively drained all available equity”. It also expressed openness to the hacker’s willingness to negotiate and said it would continue to communicate on the outcome.
