Mango Markets was robbed of $100 million in money via an exploit in the second $100 million DeFi attack this week. Mango Markets announced Tuesday evening that a hacker was able to drain funds from the company through Oracle pricing manipulation.
Only last Thursday, $100 million was stolen from another DeFi technology, Binance Smart Chain.
According to OtterSec, a blockchain auditing website, the attacker temporarily increased the value of their collateral before borrowing from the Mango treasury.
Mango Markets is a Solana-based platform for trading digital assets for spot margin and perpetual futures on the Solana blockchain. Mango DAO governs Mango Markets.
“It’s an economic design issue,” OtterSec founder Robert Chen told Decrypt via Telegram, adding that Mango Markets was well aware of the risk.
It appears that the attacker was successful in manipulating their Mango collateral. They temporarily increased the value of their collateral before taking out huge loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec io) 10/10/2022
“At 6:19 PM ET, an attacker financed account A with 5mm USDC collateral,” Genesis Global Trading’s Head of Derivatives, Joshua Lim, tweeted.
According to Lim, the attacker then sold 483 million units of MNGO perps (perpetual contracts) on the Mango Markets order book. The attacker then funded another account with 5 million USDC collateral at 6:24 PM ET to purchase those 483 million MNGO perps for $0.03 per unit.
The attacker began changing the Mango spot market price at 6:26 PM ET, driving the price to $0.91 and the value of the 483 million MNGO to $423 million.
1/ This is how I believe the mango attack transpired; please correct me if I am incorrect:
At 6:19 PM ET, the attacker financed account A (CQvKS…) with $5 million in USDC collateral.
https://t.co/hZuV3WexWh https://t.co/cs2Wxo2Roy pic.twitter.com/rkdtJ8KU7h pic.twitter.com/rkdtJ8KU7h
Josh Lim (@joshua j lim) 12th of October, 2022
After that, the assailant borrowed $116 million, leaving Mango’s treasury with a negative balance of -116.7 million. USDC, MSOL, SOL, BTC, USDT, SRM, and MNGO were all drained, erasing all of Mango’s liquidity.
In reaction, Mango Markets has disabled deposits and is attempting to freeze third-party funds.
A Twitter user pointed out that the attacker received 5.5 million dollars from FTX, causing FTX CEO Sam Bankman-Fried to remark that the company is looking into it.
We can confirm that we are investigating and will take any necessary action/etc.
— SBF (@SBF FTX) 10/12/2022
Mango Markets has offered the attacker a bug bounty in exchange for the return of the stolen funds.