Mango $100M Attack: How a Whale Swindled a Solana DeFi Favorite

In one thing of an audacious transfer, the attacker used their MNGO tokens to vote on their very own Mango DAO governance proposal.

Whale Targets Mango 

Days after BNB Chain’s bridge was hit by a $566 million exploit, Mango Markets has suffered a nine-figure assault. The Solana DeFi protocol was focused late Thursday after a whale attacker discovered a strategy to revenue from manipulating its markets. Mango is a decentralized buying and selling venue constructed on the Solana blockchain. It provides margin and futures buying and selling, letting Solana DeFi customers guess on the worth efficiency of property like SOL, ETH, and BTC. “Lengthy & quick all the pieces,” the tagline on its website reads. 

In response to a Wednesday tweet storm from the Mango crew, the perpetrator used their USDC holdings to take out two giant positions in perpetual futures contracts for the MNGO token. This prompted a synthetic value spike, which allowed the attacker to take out a collection of huge loans, successfully draining the protocol of its liquidity. They drained over $100 million in a wide range of digital property, together with USDC, MSOL, SOL, BTC, USDT, MNGO, and SRM. 

Whereas the Mango crew stated that the MNGO value manipulation was exacerbated after oracles up to date to point out an inflated value for the token, the oracles labored as designed. Opposite to some studies, this was not an oracle-specific assault, however relatively a basic instance of market manipulation. The whale was capable of execute the assault as a result of that they had thousands and thousands of {dollars} price of USDC collateral, they usually took benefit of the skinny buying and selling on the Mango platform. Such assaults can pose a risk to different lending protocols like Mango with equally low buying and selling exercise. 

Market manipulation is illegitimate within the conventional world, however attackers usually gravitate towards DeFi, an unregulated market that’s generally known as “the Wild West of finance.” At the same time as regulators have began monitoring the area extra intently with a deal with stablecoins and protocol thefts, it might take years for them to analyze a case and there are lots of incidents they miss. That makes DeFi a fertile floor for pump-and-dump antics like these carried out by the Mango whale. 

DAO Video games 

Nonetheless, the whale’s strikes following the assault counsel that they’re conscious of potential legal proceedings. Posting on the Mango DAO governance discussion board, the attacker introduced a proposal that might see them return nearly all of the drained funds if the Mango crew agreed to make use of $70 million price of USDC from its treasury to repay the protocol’s “dangerous debt.” If handed, the treasury would go to Mango customers who had deposited to the now-drained protocol. 

Of their word, additionally they urged that voting for the proposal would depend as an settlement to drop any plans for a legal investigation. It learn: 

“By voting for this proposal, mango token holders comply with pay this bounty and repay the dangerous debt with the treasury, and waive any potential claims in opposition to accounts with dangerous debt, and won’t pursue any legal investigations or freezing of funds as soon as the tokens are despatched again as described above.”  

The proposal places the Mango crew up in opposition to its personal customers, and it additionally makes an attempt to absolve the attacker of any wrongdoing within the eyes of the legislation. In actuality, nevertheless, a DAO governance proposal is unlikely to go with legislation enforcement; if authorities determined this assault was price investigating, they wouldn’t seemingly hesitate as a result of the Mango group agreed to not press expenses. 

What’s extra, the proposal is unlikely to be taken too severely given the current voting results. The attacker used 32.9 million MNGO tokens to approve their very own suggestion, roughly one third of the voting energy required for the proposal to go. It’s as a result of shut early Saturday. 

What Comes Subsequent? 

Whereas it’s unclear how Mango’s future will look, the crew stated it froze the protocol early Wednesday to stop anybody from making new deposits. It additionally stated that stopping additional losses, making customers complete, and rebuilding within the wake of the assault had been “priorities” for the DAO. 

In assaults comparable to this one, groups usually supply bug bounties to their attackers for the secure return of the funds. Whereas Mango has not but made a bounty supply to the attacker, the venture’s CEO Daffy Durairaj weighed in on the dangerous debt proposal. They wrote: 

“Hey that is Daffy, we’re working by means of tallying the losses and limiting losses wherever we are able to. I can’t give a concrete proposal but, however these are my goals so as of significance: 1. You might be cleared of any wrongdoing 2. You make a wholesome revenue 3. All Mango depositors are made complete 4. Mango DAO maintains some treasury to rebuild What do you assume?”

Durairaj didn’t touch upon whether or not the DAO would commit $70 million from its treasury, however his put up hints that he hopes the DAO retains at the least a few of its reserves.  

Durairaj additionally posted a tweet early Wednesday, reiterating to Mango depositors that he would do “all the pieces in [his] energy” to recuperate their funds. 

Each Durairaj and the attacker have urged plans that try to make Mango customers complete and clear the attacker’s identify, letting them make off with a tidy revenue within the course of. Whereas Durairaj has additionally expressed hopes for the crew to “rebuild” within the fallout from the incident, whether or not Mango will be capable to survive such an enormous monetary and reputational hit stays to be seen. 

Disclosure: On the time of writing, the writer of this piece owned ETH and a number of other different cryptocurrencies.