Solana-based Decentralized Finance Platform takes a massive hit
Another Attack
Mango Markets is a decentralized finance platform that is on the Solana blockchain. Users of Mango have the ability to make spot trades and loans. The platform is yet another victim of hacks that have seen hundreds of millions stolen from it. This attack comes hot on the heels of a previous attack on BNB that saw millions stolen.
The governance token, MNGO, has been said by some to be overvalued and that is something that the attacker was able to use to their advantage. The attacker was able to take out huge loans against the token thus draining the liquidity pools on Mango. Overvalued collateral was used to borrow against the collateral and thus the liquidity was drained.
There are many theories as to how the attacker was able to pull of such a feat but nothing really concrete at the moment.
Confirmed Loss
Mango Markets confirmed the exploit in a tweet (see above) Tuesday, October 11, 2022 and stated there was an investigation into the incident underway. They stated the hack was done via an oracle price manipulation.
Currently the funds are still on the Solana blockchain and have not yet been moved anywhere else nor have they been put through Tornado Cash. The exploit has seen the theft get away with $100 million in assets and the price of the token has taken a huge dive.
The plunge in price had been over 75% after the attack dropping to $0.019. The current price is at $0.024 with the initial price being $0.08 before the attack, the token was able to make a bit of gain but still sitting at 41% down from last week. The TVL of the token was also damaged as it plummeted from $104M to just $209 on the 12 of October.
How did it happen?
Just like any other DEX Mango Markets relies on smart contracts in order to match trades between users of DeFi. Smart contracts are decentralized and are not overseen by any one party- this gives a rogue trader a bit of an opportunity to exploit the system so to speak. Enough money can be input to exploit loopholes without the risk of anyone stepping in, or at times even being aware.
There were two accounts used in the attack. One account was used by the trader to initially input $5 million USDC in order to purchase $483 million MNGO and thus go short. The second account was used to input another 5 million USDC in order to purchase the same amount of MNGO using 10 million USDC total to hedge his position.
The next step was for the trader to use more funds to buy up spot MNGO tokens raising the price of the token exponentially within 10 minutes. This was easy to do since MNGO was a low-liquidity token with very little trade. As the spot MNGO prices increase, the trader’s second account racked up $420 million in false profits. The attacker took the $116 million in liquidity from all tokens available and wiped the protocol.
Proposal
Mango Markets tweeted its willingness to work with the hacker and the hacker has reached out recently with a proposal to Mango. There were many replies to the proposal some saying they used Mango as their main source of income begging the hacker to return everything. The hacker has stated that Mango must use $70m to pay off bad debt, a debt referring to a Solana investor who had to be bailed out after having more than $200 m in debt across multiple platforms. The bailout was made because if that investor became liquidated it would have been catastrophic for the entire Solana community.
The voting is still underway but currently, there are 33 million votes in favor of the proposal with 33 million more needed for it to pass.
