- Mango Markets is a platform built on the Solana blockchain for trading digital assets.
- A hacker used an oracle price manipulation to steal money from Mango.
- The Binance Smart Chain, which is also a DeFi protocol, had $100 million stolen just last Thursday.
In this week’s second $100 million DeFi hack, an exploit was used to steal $100 million from Mango Markets said in a tweet on Tuesday night that a hacker had used an oracle price manipulation to steal money from Mango.
The Binance Smart Chain, which is also a DeFi protocol, had $100 million stolen from it just last Thursday.
OtterSec a website for auditing blockchains, says that the attacker temporarily raised the value of their collateral and then borrowed money from the Mango treasury.
Mango Markets is a platform built on the Solana blockchain for trading digital assets on the spot margin and trading perpetual futures. Mango DAO is in charge of running Mango Markets.
Founder of OtterSec Robert Chen told Decrypt via Telegram, “It’s an economic design issue.” Mango Markets had already highlighted this vulnerability.
The attacker may have been able to change their Mango collateral. They temporarily raised the value of their collateral, and then they borrowed a lot of money from the Mango treasury.
“At 6:19 PM ET, an attacker funded account A with 5mm USDC collateral,” the Head of Derivatives at Genesis Global Trading, Joshua Lim, tweeted.
Lim said that after that, the attacker put 483 million MNGO perps (perpetual contracts) on the Mango Markets order book. Then, at 6:24 PM ET, the attacker put 5 million USDC into another account as collateral in order to buy 483 million units of MNGO perps for $0.03 each.
At 6:26 PM ET, the attacker started changing the price of Mango on the spot market. He or she drove the price to $0.91, making the 483 million MNGO worth $423 million.
1/Here’s how I think the mango attack went down; please correct me if I’m wrong.
The attacker then took out a loan for $116 million, leaving a negative balance of -116.7 million in Mango’s bank account. Assets like USDC, MSOL, SOL, BTC, USDT, SRM, and MNGO were all drained, taking away all of Mango’s cash.
In response, Mango Markets says it has turned off deposits and is taking steps to get third-party funds frozen.
Someone on Twitter said that the attacker got $5.55 million from FTX. In response, FTX CEO Sam Bankman-Fried said that the company is looking into it.
Mango Markets has given the person who stole the money the chance to get a bug bounty in exchange for giving back the money.