Mango Markets was the target of a significant attack in which the hacker allegedly stole a whopping $117 million from the Solana-based protocol.
Mango Markets, situated in Solana, was the victim of a $117 million breach on Tuesday. On October 11th, the team tweeted that they were looking into the hack and suspending the cash connected to the hacker, informing users of the problem. Additionally, they stated that deposits will be frozen as a precaution.
“We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We are taking steps to have third parties freeze funds in flight. We will be disabling deposits on the front end as a precaution and will keep you updated as the situation evolves.”
Only a week before the theft, someone attacked the BNB Chain and stole $100 million from the protocol.
The attacker was able to increase the value of their collateral before obtaining loans from the Mango treasury, according to the blockchain auditing website OtterSec.
“It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value and then took out massive loans from the Mango treasury.”
OtterSec’s founder, Robert Chen, claimed that an economic design error was to blame for the attack. He continued by saying that Mango Markets was well aware of this risk.
Details of the hack
In a thorough post-mortem of the Mango Market hack, blockchain security and auditing company Cetik explain how the hacker was able to use the token to carry out the hack.
“The attacker used two addresses to manipulate the price of MNGO – Mango’s native token and collateral asset – from $0.038 to a peak of $0.91. This allowed them to borrow heavily against their $MNGO collateral, which they did so to the tune of approximately $117 million, though this figure is fluctuating due to the prices of affected tokens reacting to the news.”
Hacken, a blockchain security company, provided more information, noting that the hacker needed $5 million in USDC to launch the attack. The official Twitter account of Mangi Market verified this by tweeting that two accounts backed by USDC had opened long positions in MNGO-PERP. Mango noted that the price of MNGO/USD increased 5x to 10x in a matter of minutes on a variety of platforms, including FTX. The Mango team further stated that the Oracle pricing functioned as intended and that no Oracle providers were at fault.
“We want to clarify and mention here that neither oracle providers have any fault here. The oracle price reporting worked as it should have.”
The security and auditing company Certik disclosed that they had informed Mango of this issue as early as March 2022, when the subject came up in the Discord channel for the lending platform.
“The vulnerability here stemmed from the thin liquidity on the MNGO/USDC market, which was used as the price reference for the MNGO perpetual swap. With only a few million USDC at their disposal, the attacker was able to pump the price of MNGO by 2,394%. This exact attack vector was apparently raised in Mango’s Discord channel back in March of this year.