An attack on Mango, a decentralized financial system that uses Solana as its backbone, resulted in a $100 million loss.
We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation.
We are taking steps to have third parties freeze funds in flight. 1/
— Mango (@mangomarkets) October 11, 2022
Blockchain developer Tom Geshury sent an alert to blockchain auditor OtterSec, who then informed the authorities. This hack was accomplished by taking advantage of the hacker’s mango collateral.
Due to a temporary rise in the value of their collateral, they were able to obtain significant loans from the Mango Treasury. According to a tweet from Mango, the company is investigating the issue.
It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022
Hackers’ motives
MGNO’s governance token was valued much higher than it should have been, according to OtterSec’s Robert Chen. That allowed the attacker to borrow substantial funds against it, depleting Mango’s liquidity reserves. Similarly to a lending-borrowing race, if your collateral is overpriced, you might borrow against it.
In accordance with the protocol, depositing on the front end is currently disabled. In addition, it stated that it would reward money returned.
ive had 2 heady toppers but i think this is how they did it. First deposit 5m into this account and be the counterparty for the main hacker addresss on a short $MNGO-perp positionhttps://t.co/QjrMiS2sUK
— Fudzy (@fozzydiablo) October 11, 2022
The DeFi attack on Binance’s BNB blockchain that stole $80 million was the first significant hack in a week, and the Mango hack was the second.
In an attempt to bargain for a reward, the hacker has put out a suggestion. However, as stated in the hacker’s statement, the Mango Treasury has roughly 70 million USDC available to settle the bad debt.
The hacker will send tokens to a specified address provided by the Mango team if the proposal is approved to pay off any outstanding debt. All rights against accounts with bad debts shall be waived by Mango holders, who will agree to settle the accounts.
***