The team's initial announcement encouraged users not to deposit, and requested that the attacker get in touch about a bounty.
Strangely, they were less keen to offer a bounty when the issue was raised via the project’s Discord back in March.
In true DeFi style, the attacker has used their freshly acquired responsibility tokens to suggest a solution to the mess that they themselves created.
Their proposal suggests that Mango pay the hacker a bounty of ~$65M, and that they do not pursue any criminal investigation.
No prizes for guessing which way the hacker voted on the proposal…
Welcome to the future of finance.
Credit: Joshua Lim
Attacker’s address: yUJw9a2PyoqKkH47i4yEGf4WXomSHMiK7Lp29Xs2NqM
By countertrading against the position from another account, the attacker succeeded in spiking the spot price of MNGO massively from $0.03 to $0.91. While the MNGO price remained high, the attacker was able to drain the lending pools using the unrealised profit from the long position as collateral.
The attacker’s Mango Markets account displays a $115M shortfall. The borrowed assets are listed below:
The extreme price manipulation was made possible by the MNGO token’s low liquidity and volume. After some mixed messaging, Mango Markets later clarified that the incident was not an oracle failure, but rather genuine price manipulation.
The attack drained all of Mango Markets’ available borrow liquidity, with $70M remaining in the treasury. This leaves a shortfall of approximately $50M to cover the bad debt left by the incident, which the hacker is proposing to return.
The governance vote on the hacker’s proposal is on-going and, of course, the attacker voted yes with all of their stolen 32M votes:
The hackers proposal would allow users to be made whole and the protocol to become functional again, essentially starting from scratch. And by the looks of Mango Markets’ stated priorities, it sounds like taking the offer would check all their boxes…
But surely this behaviour can’t be rewarded with a “bounty” of ~$65M, the total of remaining USDC, BTC, USDT, and SRM?
How “binding” is a DAO vote? With no existing laws in regards to DeFi governance proposals, this story will set a precedent.
If the token governance vote system remains in use, then there will surely be more hostile takeovers, if not from hackers, then from competing organisations. These events already happen in traditional finance, but DeFi, or regulators, will have to prepare their own method to defend their governance systems from potential bad actors.
If only Mango had paid out a bounty in March, and prevented the attack from happening in the first place…
A similar attack on Venus Protocol last year (not to be confused with the more recent incident related to the Luna fallout) led to a user raising concerns within the Mango community over six months ago.
With so much advance notice, why wasn’t this attack averted?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Code is not law. Avraham Eisenberg has been arrested in Puerto Rico. Despite the satisfaction of seeing this arrogant aggressor finally arrested, the consequences of his case do not look good for DeFi.
OG decentralised exchange KyberSwap got rekt across six chains, for a total loss of over $48M. Perhaps there’s some good news in store for KyberSwap and LPs, or is the attacker just toying with us?
It's been a rough few weeks for Justin Sun. Today, another $99M went missing as HECO Bridge and HTX (again) were hacked in short succession. His Excellency makes sure to never stay out of the spotlight for long…