Mango Markets - REKT

To top off yesterday's rumours, exploits and SEC action, Solana’s flagship margin trading protocol also got rekt, losing 9 figures to a well-funded market manipulator.

The attacker managed to spike the price of Mango Markets’ native token MNGO and drain their lending pools, leaving the protocol with $115M of bad debt.

The team's initial announcement encouraged users not to deposit, and requested that the attacker get in touch about a bounty.

Strangely, they were less keen to offer a bounty when the issue was raised via the project’s Discord back in March.

In true DeFi style, the attacker has used their freshly acquired responsibility tokens to suggest a solution to the mess that they themselves created.

Their proposal suggests that Mango pay the hacker a bounty of ~$65M, and that they do not pursue any criminal investigation.

No prizes for guessing which way the hacker voted on the proposal…

Welcome to the future of finance.

Credit: Joshua Lim

Attacker’s address: yUJw9a2PyoqKkH47i4yEGf4WXomSHMiK7Lp29Xs2NqM

The attacker’s address was funded with over $5M (2M and 3.5M USDC) from FTX, which were deposited in Mango Markets and used to take out a large MNGO-PERP position.

By countertrading against the position from another account, the attacker succeeded in spiking the spot price of MNGO massively from $0.03 to $0.91. While the MNGO price remained high, the attacker was able to drain the lending pools using the unrealised profit from the long position as collateral.

The attacker’s Mango Markets account displays a $115M shortfall. The borrowed assets are listed below:

The extreme price manipulation was made possible by the MNGO token’s low liquidity and volume. After some mixed messaging, Mango Markets later clarified that the incident was not an oracle failure, but rather genuine price manipulation.

In the process of pumping the price, over 4000 short liquidations were caused and as a result of the collapse of the protocol, the Solana network’s TVL is down over 20%.

The attack drained all of Mango Markets’ available borrow liquidity, with $70M remaining in the treasury. This leaves a shortfall of approximately $50M to cover the bad debt left by the incident, which the hacker is proposing to return.

The governance vote on the hacker’s proposal is on-going and, of course, the attacker voted yes with all of their stolen 32M votes:

The hackers proposal would allow users to be made whole and the protocol to become functional again, essentially starting from scratch. And by the looks of Mango Markets’ stated priorities, it sounds like taking the offer would check all their boxes…

But surely this behaviour can’t be rewarded with a “bounty” of ~$65M, the total of remaining USDC, BTC, USDT, and SRM?

How “binding” is a DAO vote? With no existing laws in regards to DeFi governance proposals, this story will set a precedent.

If the token governance vote system remains in use, then there will surely be more hostile takeovers, if not from hackers, then from competing organisations. These events already happen in traditional finance, but DeFi, or regulators, will have to prepare their own method to defend their governance systems from potential bad actors.

If only Mango had paid out a bounty in March, and prevented the attack from happening in the first place…

A similar attack on Venus Protocol last year (not to be confused with the more recent incident related to the Luna fallout) led to a user raising concerns within the Mango community over six months ago.

With so much advance notice, why wasn’t this attack averted?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.