The team's initial announcement encouraged users not to deposit, and requested that the attacker get in touch about a bounty.
Strangely, they were less keen to offer a bounty when the issue was raised via the project’s Discord back in March.
In true DeFi style, the attacker has used their freshly acquired responsibility tokens to suggest a solution to the mess that they themselves created.
Their proposal suggests that Mango pay the hacker a bounty of ~$65M, and that they do not pursue any criminal investigation.
No prizes for guessing which way the hacker voted on the proposal…
Welcome to the future of finance.
Credit: Joshua Lim
Attacker’s address: yUJw9a2PyoqKkH47i4yEGf4WXomSHMiK7Lp29Xs2NqM
By countertrading against the position from another account, the attacker succeeded in spiking the spot price of MNGO massively from $0.03 to $0.91. While the MNGO price remained high, the attacker was able to drain the lending pools using the unrealised profit from the long position as collateral.
The attacker’s Mango Markets account displays a $115M shortfall. The borrowed assets are listed below:
The extreme price manipulation was made possible by the MNGO token’s low liquidity and volume. After some mixed messaging, Mango Markets later clarified that the incident was not an oracle failure, but rather genuine price manipulation.
The attack drained all of Mango Markets’ available borrow liquidity, with $70M remaining in the treasury. This leaves a shortfall of approximately $50M to cover the bad debt left by the incident, which the hacker is proposing to return.
The governance vote on the hacker’s proposal is on-going and, of course, the attacker voted yes with all of their stolen 32M votes:
The hackers proposal would allow users to be made whole and the protocol to become functional again, essentially starting from scratch. And by the looks of Mango Markets’ stated priorities, it sounds like taking the offer would check all their boxes…
But surely this behaviour can’t be rewarded with a “bounty” of ~$65M, the total of remaining USDC, BTC, USDT, and SRM?
How “binding” is a DAO vote? With no existing laws in regards to DeFi governance proposals, this story will set a precedent.
If the token governance vote system remains in use, then there will surely be more hostile takeovers, if not from hackers, then from competing organisations. These events already happen in traditional finance, but DeFi, or regulators, will have to prepare their own method to defend their governance systems from potential bad actors.
If only Mango had paid out a bounty in March, and prevented the attack from happening in the first place…
A similar attack on Venus Protocol last year (not to be confused with the more recent incident related to the Luna fallout) led to a user raising concerns within the Mango community over six months ago.
With so much advance notice, why wasn’t this attack averted?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
18 quadrillion dollars. That’s the theoretical value of the 60 trillion aBNBc that was illegitimately minted from Ankr. Unfortunately, that’s more than the GDP of the entire world, and the aBNBc liquidity couldn’t stretch that far, so the hacker only got away with $5M.
SBF’s meltdown has gone from bad, to worse, to weird. The facade has fallen, and all his “beliefs” have turned out to be bullshit. The crypto movement is bigger than the failures of the past week, or at least, it will be...
Deribit has lost $28M from their hot wallets on the Ethereum and Bitcoin networks. As with all cases of “compromised keys”, only insiders can say for certain what caused the breach, but we have our usual suspects…